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-  '"Abstract^  A  program  to  control  a  robot  manipulator  for  industrial  assembly  operations  must 
take  into  account  possible  errors  in  parts  placement  and  tolerances  of  the  parts  themselves. 
Previous  approaches  to  this  problem  have  been  to$  engineer  the  situation  so  that  the 
errors  are  small  or  let  the  programmer  analyse  the  errors  and  take  explicit  account 
of  them.  This  paper  gives  the  mathematical  underpinnings  for  building  programs  (plan 
checkers )  to  carry  out  approach  (2j  automatically.  The  plan  checker  uses  a  geometric 
CAD- type  database  to  infer  the  effects  of  actions  and  the  propagation  of  errors.  It  does 
this  symbolically  rather  than  numerically,  so  that  computations  can  be  reversed  and  desired 
resultant  tolerances  can  be  used  to  infer  required  initial  tolerances  or  the  necessity  for 
sensing.  The  checker  modifies  plans  to  include  sensing  and  adds  constraints  to  the  plan 
which  ensure  that  it  will  succeed.  An  implemented  system  is  described  and  results  of  its 
execution  are  presented.  The  plan  checker  could  be  used  as  part  of  an  automatic  planning 
system  or  as  an  aid  to  a  human  robot  programmer. 
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Automatic  generation  of  plant  for  robot!  it  a  rich  field  of  retearch  that  hat  many 


unsolved  problems.  Very  few  attempts  have  been  made  to  build  programs  which  completely 
and  automatically  generate  a  robot  plan,  then  command  the  robot  to  actually  carry  it  out. 
Section  6  mentions  some  previous  attempts  and  their  successes  and  shortcomings.  Most 
tasks  carried  out  by  today’s  robots,  even  in  centers  of  Artificial  Intelligence  research,  are 
planned  by  people. 

The  term  robot  planner  is  used  to  refer  to  an  agent  planning  to  use  a  robot  manipulator 
to  perform  some  task.  A  robot  planner  may  either  be  a  person  planning  the  actions  to  be 
carried  out  by  a  robot,  or  an  intelligent  program  performing  the  same  task.  Even  for  people, 
the  task  is  quite  difficult  and  it  is  worthwhile  building  automatic  aids. 


This  paper  provides  the  underpinnings  for  building  programs  that  can  automatically 
check  whether  a  plan  generated  by  a  robot  planner  is  feasible,  i.e.  whether  it  is  applicable 
and  under  what  circumstances  it  will  achieve  the  goals  set  by  the  robot  planner.  Such  pro¬ 
grams  are  called  plan  checkers.  In  addition,  plan  checkers  can  at  times  provide  information 


on  how  to  fix  a  plan  to  ensure  that  it  will  work. 

After  a  plan  has  been  checked,  a  robot  controller  executes  the  plan,  using  a  robot 
manipulator  and  sensors  to  interact  with  the  physical  world.  The  plan  checker  must  reason 
about  the  capabilities  of  the  robot  controller  in  order  to  check  and  modify  plans  for  the 
computations  that  the  controller  will  make  in  interpreting  sensor  readings. 

In  many  implementations  of  robot  systems  the  distinctions  between  the  three  agents, 
planner,  checker  and  controller,  will  be  much  fuzzier  than  shown  in  figure  1. 

1.1  Uncertainties. 


A  major  thrust  or  this  work  is  in  ensuring  that  a  plan  will  succeed  in  spite  of  uncer¬ 
tainties  in  the  physical  world  whose  values  can  not  be  exactly  determined  at  the  time  th< 
plan  is  formulated.  There  are  three  major  sources  of  uncertainties.  .  jy_ _ 
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1.  Robot  manipulator*!  arc  complex  mechanical  devices.  There  are  upper  bounds  on  speed 
and  payload,  and  limits  to  accuracy  and  repeatability.  The  absolute  positional  accuracy  of 
a  manipulator  is  the  error  in  that  csults  when  it  is  instructed  to  position  its  end  effector 
at  a  specified  position  and  orientation  in  space.  This  may  depend  on  temperature,  load, 
speed  of  movement  and  the  particular  position  within  its  work  area.  Furthermore,  in  a 
situation  where  these  parameters  are  all  fixed,  a  manipulator  will  not  in  general  return  to 
precisely  the  same  location  and  orientation  when  commanded  to  repeat  an  operation  over 
and  over.  The  error  measures  the  positional  repeatability.  There  can  be  contributions  from 
stochastic  effects,  and  from  long  term  drift  effects  which  can  be  corrected  by  calibration. 
The  positional  and  repeatability  errors  of  current  manipulators  are  sufficiently  large  to 
cause  problems  in  carrying  out  a  large  class  of  planned  tasks  in  the  absence  of  feedback 
during  plan  execution.  Manipulators  can  be  made  more  accurate  by  machining  their  parts 
more  accurately  and  using  more  resilient  materials.  There  is  however  a  tradeoff  between 
cost  and  performance  of  manipulators,  so  that  there  is  a  point  of  diminishing  returns  in 
trying  to  build  ever  more  accurate  mechanisms. 

2.  To  make  matters  worse  for  the  robot  planner,  multiple  copies  of  a  mechanical  part  are 
never  identical  in  all  their  dimensions.  It  is  impossible  to  manufacture  parts  with  exact 
specifications.  Instead,  designers  specify  tolerances  for  lengths,  diameters,  and  angles. 
Parts  made  from  the  design  can  take  on  any  physical  values  for  the  parameters  which  fall 
within  the  designed  tolerances.  The  effects  of  these  variations  might  be  large  enough  by 
themselves  to  be  a  significant  factor  in  the  success  or  failure  of  a  planned  robot  manipulator 
task.  When  many  parts  are  assembled  into  a  whole,  the  individual  small  variations  can 
combine  and  become  large. 

3.  Often  the  most  significant  source  of  uncertainty  is  the  position  and  orientation  of  a 
workpiece  when  it  is  first  introduced  into  the  task.  Mechanical  feeders  sometimes  deliver 
parts  with  large  uncertainties  in  position  and  orientation,  sometimes  on  the  order  of  50% 
of  the  me  of  the  part.  Conveyor  belts  deliver  parts  with  even  larger  uncertainties.  A  robot 
planner  often  includes  actions  in  the  plan  that  are  aimed  at  significantly  reducing  these 
initial  uncertainties.  The  methods  described  in  this  paper  can  be  used  to  analyse  those 


subplans  also. 


A  plan  for  a  robot  to  carry  out  a  task  must  take  into  account  these  three  sources  of 
uncertainty  if  it  is  to  be  guaranteed  to  succeed.  There  arc  two  standard  responses  to  the 
problems  of  uncertainties.  One  is  to  ignore  them,  based  on  the  assumption  that  they  are 
too  small  to  affect  the  success  of  the  plan  based  on  nominal  values.  (Significant  engineering 
may  be  necessary  to  ensure  the  validity  of  such  an  assumption,  c.g.  the  construction  of  jigs 
and  pallets.)  A  second  is  to  estimate  the  uncertainties,  compute  the  effects  of  uncertainties, 
and  then  decide  if  they  are  too  large  for  the  plan  to  work.  This  paper  offers  a  third 
approach.  It  consists  of  computing  the  effects  of  the  uncertainties  symbolically.  If  they 
arc  small  enough,  the  plan  can  be  accepted.  Otherwise  the  most  significant  uncertainties 
can  be  identified,  and  the  plan  can  then  either  be  constrained  to  succeed  in  spite  of  them, 
methods  can  be  identified  to  reduce  those  uncertainties,  or  the  plan  can  be  modified  to  use 
a  different  approach  which  can  succeed. 

Throughout  the  paper  uncertainty  is  used  rather  than  error.  ThiB  is  intended  to  stress 
that  robot  plans  can  take  into  account  what  are  traditionally  called  errors,  and  deal  with 
them  in  a  manner  which  ensures  that  the  plans  will  succeed. 

The  theme  of  this  paper  is  that  while  uncertain  situations  are  hard  to  compute  with 
directly,  it  is  possible  to  make  inferences  about  uncertainties  and  compute  with  those 
inferences. 

1.2  Plans. 

Minsky  (1963)  introduced  the  notion  of  hierarchically  decomposing  a  plan  into  sub- 
plans,  called  planning  islands.  A  plan  is  split  up  into  a  linear  sequence  of  smaller  subplans 
—  see  figure  2.  Each  level  is  more  detailed.  The  levels  are  often  called  levels  of  abstraction. 
The  process  of  planning  then  consists  of  making  a  top-level  plan  less  and  less  abstract  by 
decomposing  it  into  subplans,  and  filling  in  details  at  the  lower  levels. 
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Figure  2.  Flans  .cam  be  decomposed  hierarchically  into  stifeplaos.  Any  particular  subplan, 
e.g.  A  or  B,  can  be  abstractly  viewed  as  a  complete  plan  to  get  from  the  state  left  by  its 
left  neighbor  to  the  state  desired  by  its  right  neighbor. 

There  are  various  constraints  that  link  the  more  detailed  subplans  together.  For 
instance,  if  subpias  A  is  followed  immediately  by  subplan  B,  then  at  entry  to  subplan 
B  the  robot  planner  assumes  the  state  of  the  world  to  be  that  upon  exit  from  subplan  A. 
Thus  each  subplan  imposes  constraints  on  subplans  that  follow.  Dually,  a  subplan  inherits 
constraints  from  preceeding  subplans. 

At  any  stage  of  a  planning  process  there  may  be  many  decisions  that  have  been 
deferred  until  later  constraints  generated  by  the  planning  process  have  been  checked  (this  is 
commonly  referred  to  as  posting  constraints,  e.g.  Sacordoti  (1977),  Stefik  (1981)).  There  is 
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Figure  3.  At  any  level  of  abstraction  a  plan  consists  of  specifications  of  the  initial  and  final 
states  along  with  an  action  to  effect  the  transition. 


little  advantange  to  making  a  decision  until  absolutely  necessary.  Instead,  facts  that  affect 
a  decision  should  be  collected  along  the  way  and  the  decision  should  be  made  only  when 
it  is  forced.  Eventually  the  combined  effects  of  the  facts  affecting  a  decision  have  been 
propagated  and  it  simply  remains  to  make  all  of  the  outstanding  decisions  while  satisfying 
the  constraints. 

Each  subplan  can  be  considered  at  some  level  of  abstraction  to  conform  to  the  scheme 
of  figure  3.  There  is  a  class  of  possible  initial  states  of  the  World  (which  should  include  all 
states  which  meet  the  conditions  imposed  by  the  previous  subplan  in  the  chain).  There  is 
a  class  of  possible  final  states  of  the  world.  The  action  is  a  mapping  from  initial  atates  to 
final  states.  The  possible  final  states  should  be  a  subset  of  the  initial  states  which  can  be 
handled  by  the  following  subplan. 

Figure  4  shows  a  plan  that  has  been  modified  to  include  some  sensing  operations.  The 
role  of  the  robot  controller  is  now  clear.  It  must  interpret  the  sensory  data  and  relate  it  to 
parameters  of  the  planned  action. 
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Thus  a  robot  planner  must  maintain  two  models,  une  is  a  model  or  the  world.  The 
other  is  a  model  of  the  state  of  knowledge  of  the  robot  controller  (which  will  perhaps  be 
itself)  at  the  time  the  plan  is  being  executed.  The  robot  planner  must  reason  about  the 
interpretation  capabilities  of  the  robot  controller,  in  terms  of  the  knowledge  it  will  have 
from  sensory  data  and  its  knowledge  retained  from  previous  plan  steps. 

It  is  assumed  for  simplicity  that  a  plan  generated  by  the  robot  planner  corresponds 
to  figure  3.  The  plan  may  include  sensing  operations  but  they  may  be  considered  to  be 
hidden  in  the  black  box  of  the  initial  state.  The  plan  checker  need  only  concern  itself  with 
sensing  operations  that  it  suggested.  In  reality,  the  robot  planner  and  plan  checker  may 
well  be  highly  integrated,  or  even  indistinguishable.  The  essence  of  the  model  presented 
here  nevertheless  remains  valid  in  that  context. 

The  approach  to  plan  checking  presented  here  makes  no  particular  commitment  to  the 
style  of  planning  used  to  generate  the  plans  originally.  In  fact  section  G.2  discusses  ways 
to  use  it  in  two  different  planing  systems  working  on  the  same  problem.  The  mathematics 
and  semantics  of  plans  arc  more  central  concerns. 

1.3  Fixing  Plans. 

When  a  plan  checker  is  checking  a  subplan,  there  are  a  number  of  possible  outcomes. 
The  following  six  are  considered  here. 

OUTCOME  Is  It  can  accept  the  plan  as  workable,  perhaps  adding  further  constraints. 

OUTCOME  2:  It  can  add  sensing  operations  to  provide  more  accurate  execution -time 
information  to  the  robot  controller,  to  ensure  that  the  plan  will  work. 

OUTCOME  3;  It  can  change  the  pre-conditions  it  requires  from  previous  subplans  in  order 
to  ensure  that  the  plan  works. 
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Figure  4.  A  plan  can  include  an  explicit  sensing  phase.  This  docs  not  change  the  initial 
state  or  the  world,  but  it  docs  change  the  robot’s  knowledge  of  the  state  of  the  world.  The 
robot  controller  must  do  some  reasoning  at  plan  execution  time  to  interpret  the  sensory 
data. 


OUTCOME  4:  It  can  do  any  of  1,  2,  or  3  with  the  additional  caveat  that  the  final  state  will 
not  meet  constraints  as  tight  aB  those  currently  required  by  the  next  subplan  in  the  chain. 

OUTCOME  5:  It.  can  reject  the  plan  if  it  determines  that  there  arc  no  sensing  operations 
available  that  are  powerful  enough  to  guarantee  that  the  action  will  be  applicable. 

OUTCOME  6:  It  can  reject  the  plan  if  it  is  deemed  geometrically  infeasible  independent  of 
how  much  the  uncertainties  in  the  physical  system  can  be  reduced  by  sensing  operations. 

The  aigorithm  presented  later  in  this  paper  has  five  of  these  six  possible  outcomes.  In 
addition  a  mathematical  model  is  developed  which  provides  a  framework  for  designing  such 
algorithms  given  any  suitable  mechanism  for  inference  on  constraints. 
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1.4  Outline  of  the  Paper. 


The  paper  approaches  plan  checking  in  three  ways. 

1.  Section  2  presents  two  examples  of  the  use  of  symbolic  algebra  and  reasoning  to  analyse 
uncertainties  in  physical  situations. 

The  first  example  is  a  single  step  in  a  plan  presented  in  full  detail.  The  algebraic 
expressions  involved  have  the  complexity  that  can  be  expected  in  realistic  plan  checking 
tasks.  It  is  due  to  Taylor  (1976).  He  estimated  errors  in  an  assembly  task  by  propagat¬ 
ing  numerical  errors  forward  through  a  geometric  model  of  a  physical  situation.  In  this 
paper,  however,  symbolic  expressions  arc  computed  and  propagated.  Once  the  algebraic 
inequalities  are  set  up,  it  is  possible  to  use  them  in  several  ways.  KirBt  following  Taylor,  the 
initial  constraints  can  be  fixed  and  the  results  computed.  Second,  the  desired  results  can 
be  fixed  and  the  constraints  those  results  imply  for  the  initial  situation  can  be  computed. 

The  second  example  is  a  simplified  version  of  an  assembly  operation  carried  out  by 
Taylor  (Albus  and  Evans  (1976)  have  a  series  of  photographs).  It  includes  the  interactions 
of  four  plan  islands  and  is  intended  to  demonstrate  realistic  interactions  which  can  occur 
between  steps  in  a  plan.  The  algebraic  expressions  are  perhaps  simpler  than  might  be  found 
in  a  more  realistic  plan.  Section  2  introduces  the  example  which  is  then  used  throughout 
the  text  to  motivate  and  exemplify  the  theoretical  constructs.  It  is  simplified  to  bring  out 
the  essential  aspects  of  the  plan  checking  algorithm  in  such  a  way  that  the  symbolic  algebra 
can  be  followed  without  the  aid  of  a  computer. 

2.  Section  3  develops  a  formal  model  of  plans.  In  addition  it  shows  how  sensing  opera¬ 
tions  affect  the  structure  of  a  plan.  Section  4  then  examines  the  formal  mathematics  of 
constraints  within  this  framework,  and  identifies  the  properties  of  mathematical  quantities 
associated  with  a  plan  which  can  be  used  to  check  the  validity  of  the  plan,  suggest  sensing 
operations,  and  propagate  constraints  forwards  and  backwards  between  planning  islands. 
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3.  Section  5  instantiates  the  formal  model  of  a  plan  checker  developed  in  sections  3  and  4  in 
terms  of  certain  computable  properties  of  non-linear  algebraic  inequalities.  An  algorithm 
exists  to  compute  these  properties.  The  instantiated  plan  checker  is  able  to  carry  out 
precisely  the  computations  developed  in  the  example  of  section  2. 

Finally  section  6  relates  this  work  to  previous  work  on  planning,  and  points  out 
problems  and  areas  for  further  development. 


2.  Some  Examples 


Two  examples  of  plan  checking  are  given  in  this  section.  The  first  example  shows 
the  essential  features  of  the  plan  checking  algorithm  on  a  realistic  single  plan  island.  It 
demonstrates  the  basic  idea  of  propagating  desired  results  backwards  through  tolerance 
and  uncertainty  computations.  The  second  example  uses  simplified  geometry  but  shows 
four  interacting  plan  islands.  Only  its  structure  is  introduced  in  this  section,  along  with  a 
summary  of  the  results  of  running  an  implemented  plan  checker  over  it.  It  demonstrates  how 
a  plan  checker  can  choose  the  best  place  to  introduce  sensing  into  a  sequence  of  operations, 
and  how  it  can  resolve  plan  decisions  which  may  not  be  intuitively  obvious.  The  example 
is  considered  in  more  detail  in  section  5  to  illustrate  the  behavior  of  an  implemented  plan 
checking  algorithm.  The  appendix  shows  the  complete  specification  of  the  four  plans  as 
given  to  the  implemented  plan  checker. 

2.1  A  Realistically  Complex  Example. 

This  section  illustrates  a  plan  checker  symbolically  analyzing  the  uncertainties  involved 
in  a  simple  insertion  task.  The  example  is  taken  from  Taylor  (1976).  It  contrasts  the 
approach  of  propagating  numeric  errors  with  the  methods  described  later  in  this  paper  for 
symbolic  analysis  of  uncertainties.  The  computations  for  this  example  were  carried  out  by 
the  ACRONYM  model  based  vision  system,  described  in  in  Hrooks  (1981a)  and  in  more 
detail  in  Hrooks  (1981b). 

Figure  5  is  a  close  up  view  of  a  model  of  the  situation  described  in  example  2  of 
Appendix  E  of  Taylor  (1976). 

There  is  a  box  with  four  holes  in  its  top  sitting  on  a  table  with  a  given  position  and 
orientation  about  the  vertical  axis.  The  position  and  orientation  are  subject  to  known 
uncertainties.  A  manipulator  hand  holding  a  screwdriver,  with  a  screw  at  the  end,  is  placed 
above  one  of  the  holes.  It  has  three  degrees  of  position  uncertainty,  and  three  degrees  of 
orientation  uncertainty.  In  addition  the  screw  has  two  degrees  of  rotational  freedom  in  its 


Figure  5.  A  box  rests  upon  a  table  with  an  uncertain  position  and  orientation.  A 
manipulator  hand  with  uncertain  position  and  orientation  grasps  a  screwdriver  to  which  a 
screw  is  attached  with  two  rotational  degrees  of  freedom. 

attachment  to  the  screwdriver.  It  can  wobble  backwards  and  forwards  about  two  orthogonal 
axes  which  go  through  the  center  of  the  end  of  the  screwdriver  shaft.  If  all  the  uncertainties 
in  position  and  orientation  arc  zero  then  the  tip  of  the  screw  should  be  exactly  in  the  center 
of  the  hole  on  the  box. 

Taylor  used  the  following  constraints  on  the  errorB.  The  variable  names  are  mnemonics 

for  the  errors  to  which  they  refer. 

—0.3  <  BOX-DELTA-POS-X  <  0.3 

—0.2  <  B0X-DEITA-P0S-Y  <  0.2 

—5°  <  BOX-DEITA-ORI  <  5° 

—  0.05  <  IIAND-DELTA-POS-X  <  0.05 

--0.05  <  HAND-DELTA-POS-Y  <  0.05 

—0.25°  <  HAND-fOBBI.E-X  <  0.25° 

—0.25°  <  HAND-iOBBl.E-Y  <  0.25° 

—0.25°  <  HAND-WDBBI.E-Z  <  0.25° 

-5°  <  SCREW-WOBBLE-Y  <  5° 

—  5°  <  SCREW -WOBBLE'Z  <  5° 
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Taylor  assumed  a  screwdriver  of  length  DRIVER-LENGTH  that  was  exactly  1®  inches.  A  fixed 
screw  length  was  also  assumed. 

Taylor  was  interested  in  predicting  the  uncertainty  that  could  be  tolerated  in  the 
location  of  the  tip  of  the  screw  relative  to  the  center  of  the  hole.  This  can  be  done  by 
tracing  through  the  coordinate  transforms  relating  the  parts  of  the  model  to  get  a  symbolic 
expression  for  the  coordinates  of  the  screw  tip  in  the  coordinate  system  or  the  hole.  The 
coordinate  transforms  can  then  be  multiplied  out  symbolically  (provided  suitable  algebraic 
simplification  can  be  done  -  see  Brooks  (1981a)}  to  get  expressions  for  the  three  coordinates. 
With  aero  errors  these  coordinates  would  be  (0,0,0).  The  ranges  of  possible  values  for 
the  three  coordinates  indicate  the  position  errors  in  the  placement  of  the  screw  tip.  The 
following  is  the  expression  so  obtained  for  the  error  in  the  y-coordinate. 

Ay  =  —  1.260  —  1.516  X  si n (BQX-DELTA-ORl) 

—  1.25  X  sin(HAND-WOBBLE-Y)  X  sin(SCREW-WOBBLE-Z)  X  sin( — HAND-WOBBLE-X) 

X  sin(BOX-DELTA-0RI  -f  HAND- WOBBLE- Z) 

—  BOX-DELTA-POS-Y  X  Cos(BOX-DELTA-ORl) 

—  HAND-DELTA-POS-X  X  sin(BOX-DELTA-ORl) 

4-  1.25  X  COs(HAND-WOBBLE-Y)  X  cos(SCREW-WOBBLE-Z)  X  sin(SCREW-WDBBLE-Y) 

X  sin(BOX-DELTA-ORI  -f  HAND-WOBBLE-Z) 

-|-  1.25  X  cos(sCREW'iOBBLE-Y)  X  COs(SCREW-WOBBLE-Z) 

X  cos( — HAND-VOBBLE-X)  X  sin(HAND-IOBBLE-Y) 

X  sm(B0X-DELTA-0RI  +  HAND-WOBBLE-Z) 

4-  1.25  X  co8( SCREW-WOBBLE- Y)  X  cos(SCBEW-WOBBLE-Z) 

X  com(BOX-DELTA-QRI  4  HAND-WOBBLE- Z)  X  si II ( — HAND- WOBBLE-X) 

4-  1.25  X  cos(— HAND-WOBBLE-X)  X  co»(BOX-DELTA-ORI  -j-  HAND-WOBBLE-Z) 

X  si n( SCREW- WOBBLE- Z) 

-1-  1.260  X  cos(BOX-DELTA-ORl) 

4-  BOX-DELTA-POS-X  X  sin(BOX-DELTA-ORl) 

4-  DRIVER-LENGTH  X  COs(— HAND-WOBBLE-X)  X  sili(HAND-WOBBLE-Y) 

X  sin(BOX-DELTA-ORl  -f  HAND-WOBBLE-Z) 

4-  DRIVER-LENGTH  X  cos(BQX-DElTA-ORI  +  HAND-WOBBLE-Z) 

X  sin(— HAND-WOBBLE-X) 

-I-  HAND-DELTA-PQS-Y  X  COs(BOX-D8LTA-0Rl) 


The  expressions  for  Ai  and  A z  are  similarly  complex. 


The  symbolic  expression  bounding  algorithms  described  in  Brooks  (1981a)  were  applied 
to  the  three  coordinate  expressions,  given  the  above  error  bounds.  The  results  were: 

•  -0.0607  <  Ax  <  0.0510 

-0.590  <  Ay  <  0.585 

-0.660  <  Az  <  0.654 

where  -j-x  is  the  direction  down  the  hole  (note  that  this  is  a  different  coordinate  system  to 
that  used  by  Taylor).  These  bounds  compare  favorably  with  those  obtained  by  Taylor: 

—0.05  <  Az  <  0.05 

—0.54  <  Ay  <  0.54 

—0.62  <  Az  <  0.62 

Taylor  achieved  smaller  estimates  by  using  more  powerful  numerical  methods,  and  by 
ignoring  some  small  terms. 

However  by  carrying  out  the  computation  symbolically  it  is  possible  to  answer  a  much 
richer  class  of  questions  about  the  geometry  and  the  constraints.  Rather  than  simply 
computing  an  error  estimate  based  on  propagation  of  errors  through  the  physical  system 
as  above,  it  is  possible  instead  to  start  from  a  desired  tolerance  and  infer  constraints  on  the 
initial  situation. 

Suppose,  for  instance,  that  the  insertion  task  illustrated  in  figure  5  is  to  be  achieved  by 
applying  a  downward  force,  compliant  about  the  screw  tip,  using  either  a  passive  compliance 
device  (e.g.  Drake  (1977))  or  active  dynamic  control  (e.g.  Salisbury  (1980)).  Then  it  is 
sufficient  that  the  tip  of  the  screw  falls  somewhere  in  the  top  of  the  open  hole.  Note  that 
the  hole  opening  is  the  size  of  the  head  of  the  screw  rather  than  the  size  of  the  screw  shaft. 
Compliant  motion  will  guide  the  screw  into  its  correctly  seated  position.  This  constraint 
can  be  expressed  by 

y/(Ay)2  +  (Ai)3  <  0.25 

where  the  hole  opening  has  radius  0.25  inches.  To  simplify  the  algebra  slightly  so  that  the 
algorithms  described  in  Brooks  (1981a)  can  handle  it,  and  since  the  errors  in  the  y  and 


z  coordinates  art  essentially  independent,  it  is  sufficient  in  this  case  to  approximate  the 
above  constraint  with  the  following  two: 


-0.25\/(h5  <  Ay  <  0.25^63 
-0.25\/0l  <  Az  <  0.25v^h5 


These  constraints  ensure  that  the  action  will  succeed.  They  can  be  used  to  check  the 
plan  for  the  insertion  task  in  any  well  characterized  circumstances. 

The  following  example  uses  a  tighter  set  of  constraints  than  those  used  by  Taylor  on 
errors  in  placement  of  the  box.  The  box  placement  errors  he  used  tend  to  swamp  any  other 
errors.  A  smaller  amount  of  wobble  in  the  attachement  of  the  screw  to  the  screwdriver  is 
also  assumed.  The  following  bounds  on  the  errors  are  assumed: 


-0.05 

< 

BOX-DELTA-PQS-X 

<  0.05 

-0.05 

< 

BOX-DELTA-POS-Y 

<  0.05 

1 

O 

h 

< 

BOX-DELTA-QRI 

<  0.5° 

-0.05 

< 

HAHD-DELTA-POS-X 

<  0.05 

-0.05 

< 

HAND-DELTA-POS-Y 

<  0.05 

-0.25° 

< 

HAND-W0BBLE-X 

<  0.25° 

-0.25° 

< 

HAND- WOBBLE- Y 

<  0.25° 

—0.25° 

< 

HAND-W0BBLE-Z 

<  0.25° 

-2° 

< 

SCREW-WOBBU-Y 

<  2° 

-2° 

< 

SCREW-fOBBLE-Z 

£  2" 

It  is  further  presumed  that  the  screwdriver  length  is  not  pre-determined  —  i.e.  there  are 
a  number  of  screwdrivers  of  different  lengths  available  for  use.  The  plan  generated  must 
include  selection  of  one  for  this  task,  however  it  is  known  in  advance  that 

DRIVER- LENGTH  >  0.0. 


From  the  bounds  on  the  errors  and  the  expressions  Tor  Ax,  Ay  (such  as  above)  and  Ax 
it  is  possible  to  deduce  bounds  on  those  expressions  in  terms  of  the  undetermined  variable 
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DRIVER-LENGTH.  For  instance 

—0.164  —  0.004420  X  DRIVER-LENGTH  <  Ay  <  0.164  -f-  0.004420  X  DRIVER-LENGTH 
can  be  deduced. 

The  desired  constraints  on  Ay  and  A z  can  then  be  applied  to  these  bounds.  ThuB 

— 0.25\/o3  <  —0.164  —  0.004420  X  DRIVER-LENGTH 

0.164  -f  0.004420  X  DRIVER-LENGTH  <  0.25v"(h5 
— 0.25\/oi5  <  —0.162  —  0.004204  X  DRIVER-LENGTH 

0.162  -f  0.004204  X  DRIVER-LENGTH  <  0.25vC5 
are  sufficient  to  guarantee  that  the  insertion  strategy  will  not  fail  due  to  the  screwdriver 
tip  being  outside  of  the  boundary  of  the  hole.  These  inequalities  are  satisfied  whenever 

DRIVER-LENGTH  <  2.92. 


2.2  Simplified  Coupled  Plans. 

In  this  section  four  coupled  planning  islands  are  considered.  A  plan  checker  propagates 
the  effects  of  actions  from  one  island  to  the  next,  checking  whether  the  errors  accumulate 
to  such  a  degree  that  planned  actions  are  untenable.  When  this  happens  it  chooses  the 
best  place  in  the  sequence  of  steps  to  introduce  a  sensing  operation.  At  the  same  time  it 
constrains  unresolved  decisions  within  the  plan  framework. 

The  computations  for  these  examples  were  carried  out  by  an  improved  version  of 
the  constraint  system  described  in  Hrooks  (1981a).  The  new  version  can  handle  exploit 
disjunctions  of  constraints  (whereas  the  old  version  dealt  only  with  conjunctions).  Coupling 
plans  often  introduces  disjunctions.  As  a  by-  product  the  new  version  is  also  able  to  handle 
quadratic  forms  better  than  the  old. 


Thus  a  symbolic  analysis  of  the  uncertainties  in  the  positions  and  orientations  of  workparts 
and  the  robot  manipulator  has  provided  a  constraint  on  the  tool  to  be  used  to  achieve  the 
desired  goal. 


1? 


Consider  figure  6.  A  box  has  previously  been  put  on  a  table  by  a  two  link  manipulator. 
The  task  is  for  the  manipulator  to  place  a  lid  on  top  of  the  box  then  insert  a  bolt.  The 
only  source  of  uncertainty  considered  is  the  inaccuracy  in  the  joints  of  the  manipulator.  A 
visual  position  sensor  is  available  and  is  subject  to  error. 

2.2.1  Geometry  of  the  objects  and  sensors. 

The  manipulator  has  two  links  and  two  parallel  revolute  joints.  It  is  thus  restricted  to 
work  in  a  single  vertical  plane.  Each  link  is  24  inches  long.  Each  joint  can  be  positioned 
to  within  ^0.1°.  The  plans  below  only  require  that  it  operate  at  approximately  the  height 
of  its  first  joint,  and  at  a  range  of  12  to  36  inches  from  that  joint.  Using  the  coordinate 
system  shown  in  figure  6  the  uncertainty  Ax  in  the  x  direction  of  its  end-effector  when 
nominally  at  coordinates  (x,0)  can  be  bounded  by 

max(0.00022J5x  —  0.043262,0. 0009857a:  —0.063329)  <  Ax 

iniu(0.043262  -  0.0002253x,  0.063329  —  0.0009895x)  >  Ax  (2.2.1) 

over  x  €  [12, 36).  These  bounds  arc  no  more  than  6%  larger  than  the  actual  uncertainties 
over  that  range.  Note  that  the  position  error  is  larger  for  smaller  x  and  smaller  for  larger 
x.  The  y  position  error  behaves  inversely  to  the  x  error.  I.c.  y  error  is  small  for  small  x 
and  large  for  large  x.  However  in  these  plans  only  the  x  error  is  considered. 

The  box  is  2  inches  long  in  the  direction  parallel  to  the  x-axis.  Initially  the  box  sits  on 
the  table  with  an  x  coordinate  represented  by  the  named  physical  quantity  box.-position. 
Since  the  box  was  placed  on  the  table  by  the  manipulator,  the  uncertainty  in  that  position 
can  be  characterized  by  (2.2.1)  above.  The  bolt  hole  in  the  box  is  0.125  inches  in  diameter. 

The  lid  of  the  box  is  the  same  size  as  the  box.  The  hole  through  it  has  a  0.125  inch 
bore  which  flares  to  0.25  at  the  top  of  the  lid. 

The  boR  is  0.125  inches  in  diameter.  The  tip  of  the  bolt  narrows  down  to  1/32  — 
0.03125  inches  diameter  at  the  Up.  Once  the  tip  is  seated  in  a  hole  the  manipulator  is 
compliant  enough  for  the  bolt  to  be  inserted  without  moving  the  object  into  which  it  ie 
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Figure  G.  A  two  link  manipulator  must  place  a  lid  on  a  box  then  insert  a  1/8  inch  bolt 
(with  a  1/32  inch  tip)  through  the  lid  with  a  1/4  inch  opening  and  into  a  1/8  inch  hole  in 
the  box. 

fP 

being  inserted. 

The  visual  sensor  is  placed  directly  above  the  base  of  the  manipulator  with  a  horizontal 
line  ol  sight.  It  can  measure  the  distance  of  an  object  on  the  table  top  by  the  displacement 
of  its  image  from  the  center  of  the  image  plane.  The  sensor  is  subject  to  error,  and  the 
larger  the  distance  it  must  measure,  the  larger  is  the  error.  The  implemented  plan  checker 
has  been  run  with  a  number  of  different  models  for  the  error  characteristics  for  the  sensor. 

The  errors  are  modelled  by  two  functions:  l»  and  rs  dependent  on  the  sensor  reading 
m.  Thus  for  a  true  physical  value  v  the  Bcnsor  will  produce  a  reading  m  such  that 

m  -4-  l»(m)  <  v  <  m  -f  r,(m). 
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An  example  sensor  has  —  l,(m)  =  rs(m)  =  0.0004  X  m,  and  then  for  physical  value  v 
the  sensor  is  guaranteed  to  give  a  reading  m  where 

m  -)-  l,(m)  —  0.9996  X  m  <  v  <  1.0004  x  m  =  m  +  ha[m).  (2.2.2) 

2.2.2  A  four  stage  plan. 

The  plan  is  broken  into  four  subplans;  (A)  move  the  lid  to  a  position  above  the  box, 
(II)  put  down  the  lid,  (C)  move  the  bolt  to  above  the  lid  and  (D)  insert  the  bolt.  Note  that 
the  steps  to  acquire  the  lid  and  bolt  are  ignored  in  this  formulation.  This  is  to  simplify  the 
problem  for  presentation. 

The  initial  state  of  the  world  is  determined  by  the  position  of  the  box.  It  was  placed 
by  the  manipulator  at  box.-position  with  uncertainty  given  by  (2.2.1). 

The  four  subpians  are  given  in  more  detail.  The  full  dotails  of  how  they  are  presented 
to  the  implemented  plan  checker  are  given  in  the  appendix. 

Plan  A.  The  lid  is  moved  to  a  position  called  h'd.positlon.  It  has  the  same  nominal  value 
as  box.-position.  The  only  requirement  is  that  the  nominal  position  for  the  lid  is  within 
the  workspace  of  the  manipulator,  i.e. 

12  <  h'd.'positiqn  <  36. 

The  resultant  position  for  the  lid  will  be  subject  to  uncertainty  characterised  by  (2.2.1). 

Plan  I).  The  lid  is  released  onto  the  box.  For  the  subplan  to  work,  it  must  be  that  the 
center  of  gravity  of  the  lid  is  above  the  box.  Since  the  box  is  2  inches  wide  this  means  that 

— 1.0  <  lid: position  —  box.-position  <  1.0  . 

Plan  C.  The  bolt  is  moved  to  a  position  called  bolt.position.  It  has  the  same  nominal 
value  as  lid: position.  As  in  plan  A  above  the  only  requirement  is  that 

12  <  bolt: position  <  36. 
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The  resultant  position  for  the  bolt  will  be  subject  to  uncertainty  characterized  by  (2.2.1). 

Plan  D.  The  bolt  is  inserted  into  the  lid  and  through  to  the  box.  For  the  tip  of  the  bolt  to 
lie  wholly  within  the  flared  hole  in  the  lid  it  must  be  true  that 

-7/64  =  -0.109375  <  bolt.-position  -  Jid.-positlon  <  0.109375  =  7/64. 

# 

The  bolt  will  comply  with  the  hole  in  the  lid.  The  condition  necessary  for  it  to  be  inserted 
into  the  hole  in  the  box  is  then 

—3/64  =  —0.046875  <  Jid.-positlon  —  box.-positlon  <  0.046875  =  3/64. 


2.2.3  Analysis  of  the  four  plans. 

These  four  plans  will  be  used  throughout  the  text  to  illustrate  the  plan  checking 
process.  In  section  5  a  plan  checker  is  demonstrated  analysing  these  four  plans  and  their 
interactions.  A  summary  is  given  here. 

The  plan  checker  follows  through  plan  A  through  to  plan  D  before  it  encounters  a 
problem.  In  plan  I)  the  bolt  tip  can  inserted  into  the  lid  without  the  aid  of  sensing,  but 
relative  uncertainties  in  the  positions  of  the  box  and  lid  have  built  up  so  much  that  there 
is  no  guarantee  that  they  will  line  up  well  enough  for  the  bolt  to  slide  though  the  hole  in 
the  lid,  into  the  hole  in  the  box. 

The  plan  checker  identifles  the  troublesome  uncertainties  as  those  for  the  box  and 
lid  positions  but  recognizes  that  the  bolt’B  uncertainty  is  not  an  issue.  It  briefly  considers 
sensing  both  the  box  and  lid  positions,  but  without  doing  any  uncertainty  analysis  it  realizes 
that  such  sensing  will  not  change  the  geometric  possibility  of  misalignment.  The  check 
starts  to  back  up  through  the  plans  propagating  back  the  information  that  the  uncertainty 
in  the  box  and  lid  positions  seem  to  be  the  cause  of  the  problems. 

At  plan  C  the  checker  considers  sensing  the  lid  position  before  choosing  a  nominal 
position  for  the  bolt.  It  propagates  the  new  uncertainties  through  to  plan  I)  but  finds  again 
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that  the  fundamental  problem  has  not  been  changed.  The  checker  resumes  the  backing  up 
operation. 

At  plan  B  it  decides  that  there  is  nothing  to  be  sensed  which  will  be  any  different  from 
that  alresidy  tried  in  plan  C.  It  continues  to  back  up  and  gets  to  plan  A.  It  decides  that 
reducing  the  uncertainty  in  box.-positioa  may  suffice.  It  introduces  the  use  of  the  visual 
sensor  for  the  box  position  in  plan  A,  then  propagates  the  effects  forward  through  the  plans. 

Now  the  nominal  values  for  lid: position  and  boit.-posltion  depend  on  the  sensed  value 
for  boxrposition  rather  than  the  a  priori  value. 

Assume  that  a  sensor  with  error  characteristics  given  by  equation  (2.2.2)  is  used. 

When  the  checker  returns  to  plan  D  it  finds  that  the  plan  will  succeed  so  long  a8  the 
initial  box  position  is  around  either  end  of  the  range  of  (12,36].  If  the  box  is  placed  at 
the  low  end  of  this  range  then  the  sensor  accuracy  is  high  and  even  with  an  inaccurate 
manipulator  the  lid  can  be  placed  sufficiently  well  on  the  box  for  the  holes  to  align.  If  the 
box  is  placed  at  the  high  ned  of  the  range,  then  the  sensor  accuracy  will  be  lower,  but  '• 

the  extra  error  so  introduced  will  be  compensated  for  by  the  increased  horizontal  position 
accuracy  of  the  manipulator  in  that  range.  If  the  box  is  placed  in  the  middle  of  the  range 
then  it  turns  out  that  the  accuracies  of  both  the  manipulator  and  the  sensor  are  sufficiently 
bad  so  that  the  holes  in  the  box  and  lid  can  not  be  guaranteed  to  be  aligned  sufficiently.1 


‘This  result  surprised  the  author.  In  thinking  about  it  qualitatively  before  running  tbe  example 
through  the  plan  checker  it  had  seemed  that  the  any  restrictions  ou  where  the  box  should  be  placed 
would  be  of  a  farm  that  constrained  it  to  tbe  middle  of  the  range  (12,36).  The  reasoning  was  that 
here  neither  the  sensor  nor  the  manipulator  would  be  sufficiently  inaccurate  to  cause  tbe  plan  to 
fail.  However,  for  that  to  happen  the  shape  of  the  sensor  error  characteristics  must  be  somewhat 
different. 
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3.  A  Model  of  Plans  and  Sensors 


The  basic  model  of  a  plan  used  in  this  paper  is  that  there  is  an  initial  state,  a  final 
state  and  a  plan  of  action  to  change  the  initial  state  into  the  final  state.  There  are  three 
refinements  to  this  basic  model.  There  may  be  uncertainty  in  the  initial  state,  there  may 
be  conditions  on  the  applicability  of  the  action,  and  the  planner  may  generate  a  plan  with 
an  uncertain  final  state.  All  these  need  to  be  quantified.  Furthermore  the  plan  may  be 
just  a  small  part  of  larger  plan  -  a  planning  island.  Decisions  concerning  certain  details 
associated  with  the  plan  may  have  to  be  deferred  until  adjacent  plans  in  the  plan  island 
space  have  been  finalized.  Alternatively,  the  decisions  required  for  the  various  islands  may 
be  mutually  dependent. 

There  may  be  uncertainties  in  the  robot  planner's  knowledge  of  the  initial  state,  so 
the  plan  must  be  able  to  handle  a  set  of  initial  states.  For  instance  in  the  example  used  in 
section  2.1  the  set  of  initial  states  was  all  possible  combinations  of  the  block’s  position  and 
orientation  on  the  table,  the  hand’s  position  and  orientation,  and  orientation  of  the  screw 
on  the  tip  of  the  screwdriver,  subject  to  the  constraints  given. 

The  action  may  be  applicable  over  a  class  of  states.  For  instance  the  screw  in  the 
example  of  section  2  could  be  inserted  as  long  as  the  tip  was  somewhere  within  the 
circumference  of  the  hole.  Given  the  uncertainties  in  the  initial  state  of  the  world,  the 
robot  planner  must  determine  whether  the  desired  action  is  aplicable. 

There  may  be  a  range  of  final  states  of  the  world  that  arc  acceptable.  For  instance,  if 
the  task  is  simply  to  throw  a  part  in  a  bin  then  the  particular  position  and  orientation  of 
the  part  is  not  important.  It  suffices  that  it  is  somewhere  within  the  confines  of  the  bin. 

Planning  islands  provide  a  hierarchical  decomposition  of  large  plans  into  smaller  plans 
at  more  detailed  levels  of  abstraction.  The  model  used  for  a  plan  in  this  paper  deals  with 
single  islands  at  a  single  level  of  representation.  Section  6  discusses  linking  such  plan 
islands  in  the  context  of  constraint  satisfaction  as  introduced  here.  A  sequel  to  this  paper 
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3.1  Notation. 

To  formalise  the  model  of  a  plan  it  is  necessary  to  introduce  some  notation.  The 
notation  introduced  in  this  section  is  sufficient  to  follow  up  to  section  5  when  more  will  be 
necessary. 

Individual  functions  are  written  as  words  such  as  DECIDE  or  support.  Upper  case 
functions  are  those  for  which  there  exists  a  program  to  compute  their  values.  Lower  case 
functions  are  mathematical  entities  which  may  not  be  computable. 

Single  upper  case  letters,  perhaps  with  subscripts,  such  asP  or  C*  refer  to  sets.  Lower 
case  letters,  such  as  e  are  used  to  refer  to  mathematical  individuals.  Strings  of  letters  set  in 
upper  case  typewriter  font,  such  as  BOX-POSITION-X  are  formal  variables  of  a  plan.  Strings 
in  lower  case  such  as  box.'length  refer  to  slots  in  the  geometric  model  of  the  world.  Such 
slots  represent  actual  physical  quantities. 

Functions  defined  on  a  domain  are  sometimes  applied  to  a  subset  of  that  domain, 
meaning  the  image  of  the  subset  under  the  function. 

Expressions  are  constructed  from  constants,  formal  variables  and  slot  names.  Con¬ 
straints  are  first  order  sentences  over  boolean-valued  predicates  applied  to  one  or  more 
expressions.  Thus 


3.0  +  B0X-P0SITI0X-X  -f-  BOX-POSITION- DELTA-X 


is  an  expression  while 

—0.03  ^  BOX-POSITIOM-DELTA-X  X  cos(B0X-DELTA-0Rl)  <  0.03 


is  a  constraint. 
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A  set  of  constraints  is  written  as  a  subscripted  C,  such  as  C a  and  Cj.  The  subscript 
identifies  a  particular  constraint  set.  A  set  of  constraints  is  equivalent  to  the  single  con¬ 
straint  which  is  the  conjunction  of  its  members. 

DEFINITION:  The  support  of  an  expression  is  the  set  of  atomic  symbols  which  appear  in 
it.  It  is  written  stipport(e).  Similarly  aupport(c)  is  written  for  the  union  of  atomic  symbols 
which  occur  in  all  the  expressions  in  the  constraint  c,  and  8upport( C)  for  the  union  of  the 
supports  of  all  the  constraints  in  the  constraint  set  C.  | 

For  example  the  support  of  the  expression  above  is  the  set 

{  BOX-POSITION-X, BOX-POSITION-DELTA-X  }. 


DEFINITION:  The  range  of  a  formal  variable  v  is  denoted  range(v)  and  is  the  set  of  values 
that  can  be  substituted  for  the  variable.  | 

Typically,  the  range  of  a  variable  will  be  the  real  numbers. 

DEFINITION:  A  set  of  variables  V  defines  a  space,  denoted  space(V),  which  is  the  cross 
product  of  the  ranges  of  the  elements  of  V.  I.e. 

spacc(V)  =  JJ  range(v) 

The  ordering  of  the  product  is  arbitrary  but  fixed  for  index  sets  V.  | 

A  point  p  €  space(V)  can  be  written  [pVi,pVl,  •••(?«„))  where  the  product  forming 
8par.e(V)  is  ordered  Vi,V2,...,vn.  Given  p  €  space{V)  and  v  £  V  the  vth  ordinate  of  p  is 
written  pv  and  of  course  p„  6  range(v). 

Given  two  variable  sets  W  and  V  where  W  Q  V,  space(W)  is  identified  with  the 
appropriate  natural  subspace  of  space(V). 


DEFINITION:  Given  variable  sets  W  and  V ,  where  W  C  V,  and  a  subset  S  C  space(V), 
then  proj(V,  W,  S)  is  the  projection  of  S  into  space(W).  I.e. 

proj(V,W,S)  —  {q  E  space(W)  |  3pE  S,Vu/  6  W,pw  =  ?„,}.! 

As  an  example  a  spherical  volume  in  three  space  projects  into  a  filled  circle  in  two 
space  -  thus 

proj({x,y,z},{x,y},{(x>y,z)  j  z2  -f  y2  +  z7  <  1 })  =  {(x,y)  |  x2  +  y7  <  1). 

DEFINITION:  Given  variable  sets  IV  and  V  where  IV  C  V,  and  a  subset  R  C  space(W), 
then  lift(V,W,R)  is  the  largest  subset  of  space(V )  which  projects  into  R.  I.e. 

lift(V,W,R)  =  {p£  space(V)  \  3q  E  space(W),Vw  E  W,pw  =  qw}. 

In  particular 

proj(V  ,W,  lift(V  ,W,  R))  =  /?.( 

DEFINITION:  Given  an  expression  e  and  a  variable  Sfet  V  where  support(e)  C  V ,  and 
p  E  spac<’{V)  then  fe]y(p)  is  the  interpretation  of  the  expression  e  at  the  point  p.  Its  value 
is  the  result  of  evaluating  e  with  the  substitution  of  pv  for  v  throughout  for  each  variable 
v  E  supporr(e).  The  definition  has  a  natural  extension  to  the  interpretation  of  a  constraint 
c.  Thus  [c]v  is  a  predicate  on  the  domain  apftce(V).  The  definition  can  be  extended  to 
encompass  partial  evaluation  of  expressions.  Thus  if 

V  C  support^}  ■—  V 

then  [e)i/(p)  will  be  an  expression  with  support  in  U  —  V  and  will  be  the  appropriate  partial 
evaluation  of  e,  i.e. 

Vq£U-V,  ile]v(p)h/-F(9)  =  Mt/(r) 
where  r  E  f7  such  that  proj(U,  V,r)  —  p  and  proj{U,U  —  V,r)~  q. 


For  example 


(BOX-POSITIOH-X  +  B0X-P0SITI0N-DELTA-X]{  BOX-POSITIOM-DELTA-X>(0) 

=  BOX-POSITION-X. 

DEFINITION:  Given  a  constraint  c  and  a  variable  set  V  where  support(c)  C  V,  the 
satisfying  set  of  c  over  space(V),  written  sat(c,  V),  is  the  set  of  all  points  in  space(V)  where 
the  constraint  holds.  I.e. 

sat(c,V)  =  {pG  space{V)  |  (c]v(p)} 

For  a  constraint  set  C  and  a  variable  set  V  where  support{C)  C  V,  the  satisfying  set 
of  C  over  space(V),  written  sat( C,  V),  is  the  set  of  all  points  in  space[V)  whore  all  the 
constraints  in  C  hold.  I.e. 

sat.(C,V)=  P|  sat(c,V).| 
ceC 

Note  that  for  a  constraint  set  C  where  support(C)  QW  CV  then 

sat(C,\0  =  lift(V,W,  sat(C,W)). 

Note  also  that  for  two  constraint  sets,  C*  and  C g,  and  variable  set  V  then 
8at{CA  UCb,V)  =  sat(CA,V)(l  *at(Cg,V), 
where  support^ CA)  C  V  and  support( Cb)  C  V. 

3.2  Representing  uncertain  physical  situations. 

There  are  two  types  of  uncertainty  which  a  plan  checker  must  deal  with.  Plans  can  be 
made  quite  detailed,  yet  still  incorporate  unresolved  decisions.  Even  at  execution  time  the 
robot  controller  will  not  have  exact  values  for  physical  parameters.  These  are  both  handled 


by  the  use  of  formal  variables  to  represent  uncertain  knowledge  and  constraints  on  formal 
variables  what  is  known. 

There  are  two  distinct  sorts  of  variables:  those  whose  values  though  not  known  at  plan 
time  will  have  at  least  a  known  nominal,  value  assigned  them  before  execution  time,  and 
those  which  will  not  be  known  even  at  execution  time. 

Variables  whose  values  are  not  known  at  plan  time,  but  will  be  known  at  execution 
time  arc  called  plan  variables. 

Variables  whose  values  will  not  be  known  even  at  plan  execution  time  arc  called 
uncertainty  variables. 

3.2.1  Representing  physical  values. 

Physical  quantities  are  represented  in  geometric  models  by  names.  An  ad  hoc  nam¬ 
ing  scheme  is  used  in  this  paper  to  avoid  the  introduction  of  unnecessary  machinery. 
Consider  plan  A  in  the  example  of  section  2.2.  The  only  physical  quantities  represented  are 
box.-posltion  and  Imposition.  In  a  more  realistic  representation  of  the  plan,  the  named 
physical  quantities  would  include.  boxrsridth,  iid.'width.  and  iidrfeeder- position. 

A  named  physical  quantity  is  represented  as  the  sum  of  a  plan  variable  and  an  un¬ 
certainty  variable.  Thus  for  instance  in  plan  A  the  position  of  the  box  on  the  table, 
box.-posltion,  is  represented  by  the  expression 

BOX-POS  -f  BOX-UXC. 

The  plan  variable  BOX-POS  whose  exact  value  may  be  unknown  at  plan  time  represents 
the  nominal  value  of  the  position  of  the  box  at  plan  execution  time.  The  uncertainty 
variable  30XHJVC  represents  the  uncertainty  that  the  robot  controller  will  have  concerning 
the  actual  physical  position  of  the  box  at  plan  execution  time. 


Figure  7.  A  given  physical  situation  can  be  represented  by  any  point  on  the  sloped  line, 
and  hence  its  nominal  value  can  take  on  any  value  in  the  projection  onto  the  horizontal 
axis.  Conversely  any  nominal  value  can  correspond  to  any  physical  situation  whose  sloped 
line  intersects  the  vertical  about  that  nominal  point. 


A  given  physical  quantity  may  have  many  different  representations  at  plan  execution 
time.  Consider  figure  7.  The  uncertainty  variable  BOX-UNC  is  bounded  above  and  below 
by  functions  of  the  plan  variable  BOX-POS.  A  particular  value  for  BOX-POS  can  model  many 
actual  physical  situations  -  one  for  each  value  of  BOX-UNC  which  lies  within  the  bounds. 
Similarly  a  given  physical  situation  can  be  modeled  by  many  values  for  BQX-pos.  Any 
particular  physical  situation  corresponds  to  a  straight  line  segment,  with  slope  —1,  as 
illustrated  in  figure  7.  Any  value  for  BOX-POS  which  lies  in  the  project  of  the  line  segment 
(the  intersection  of  the  line  and  and  the  bounded  region)  onto  the  axis  is  a  valid  nominal 
representation  of  the  physical  situation. 

3.2.2  Nominal  values  of  expressions. 


The  nominal  value  of  an  expression  can  be  recovered  by  substituting  zero  uncertainty 
throughout.  Thus  if  P  is  the  set  of  plan  variables  and  U  the  set  of  uncertainties,  then  the 


nominal  value  of  an  expressions  e,  where  support(e)  C  PU^.  will  be  given  by  |e]i/(0y) 
where  0 u  is  the  sero  point  of  spact{U). 

Thus,  for  instance  the  nominal  value  of  BOX-POS  -j-  BOX-UHC  is  BOX-POS.  The  functional 
form  nominal  acts  on  named  physical  quantities.  Thus  if  box.-position  is  represented  as 
above,  then 

nomtna/(box:position)  —  BOX-POS. 

This  mathematical  device  will  be  useful  when  it  is  necessary  to  extract  the  nominal  value 
of  a  derived  expression. 

3.3  What  is  specified  and  unspecified  in  a  plan. 

Plans  link  an  initial  state,  an  action  applied  to  that  state  and  a  final  state. 

At  plan  time  there  may  be  unresolved  decisions  and  so  not  even  the  nominal  initial 
state  can  be  known.  At  execution  time  there  will  be  many  uncertainties  in  the  actual 
values  of  physical  quantities.  Thus  a  plan  must  consider  a  set  of  initial  states,  ranging  over 
both  unresolved  decisions  and  physical  uncertainties.  With  many  possible  initial  states  to 
consider  there  arc  many  possible  final  states.  The  action  of  the  plan  thus  becomes  a  maping 
from  initial  states  to  final  states. 

The  role  of  a  plan  checker  is  to  ensure  that  Tor  all  possible  initial  states  the  planned 
action  is  applicable  and  will  lead  to  a  final  state  that  can  be  handled  by  the  next  step  in 
the  overall  plan. 

3.3.1  Initial  state. 

The  insertion  task  in  section  2.1  can  be  planned  in  some  detail  in  terms  of  a  nominal 
position  for  the  block  on  the  table  while  still  representing  it  as  a  variable.  Before  the  plan 
is  actnaliy  executed  a  specific  nominal  position  will  be  chosen.  (Note  that  it  may  be  chosen 
only  momentarily  before  the  plan  is  executed  -  perhaps  on  the  basis  of  a  sense  operation.) 
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The  uncertainty  in  the  two  coordinates  of  tire  block  on  the  table  will  not  be  known  even 
at  plan  execution  time.  Bounds  on  those  uncertainties  were,  however,  known  at  plan  time. 

The  set  of  all  plan  variables  in  a  plan  is  denoted  P. 

The  set  of  all  uncertainty  variables  in  a  plan  is  denoted  U. 

The  geometry  of  the  initial  state  of  the  world  is  specified  in  terms  of  the  geometry  (in 
terms  of  named  physical  quantities)  of  the  objects  in  the  world  and  in  terms  of  expressions 
over  constants  and  variables  in  the  set  P  U  U,  representing  named  physical  quantities.  In 
this  paper  only  the  correspondences  between  named  physical  quantities  and  expressions 
representing  them  arc  considered.  The  details  of  representation  of  geometrical  relations  are 
not  considered. 


A  set  of  initial  constraints,  Cj,  where  supporl(C])  C  P  U  U,  constrains  the  possible 
initial  states  to  which  the  planned  action  may  be  applied.  Furthermore,  sai(Cj,P  \J  U), 
those  interpretations  of  the  variables  which  satisfy  all  the  constraints,  can  be  considered  as 
the  set  of  possible  initial  states. 


The  set  Cj  is  derived  by  the- planning  system  by  tracing  through  the  geometry  or  plan 
islands  from  the  given  initial  state  of  the  world.  Its  initial  derivation  is  not  a  concern  of 
this  paper. 


As  an  example  consider  plan  A  of  section  2.2.  There  is  only  one  physical  quantity  to 
be  represented,  namely  box.’position.  The  initial  states  of  the  world  of  plan  A  can  be 
represented  by  the  sets 

P  =  {  BOX-POS  } 

V  =  {  BOX-UNC  }, 

the  association 

box.'positlon  =  BOX-POS  -f  BOX-UNC, 


and  the  set  C;  consisting  of  the  constraints 
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1 2 .0  <  BQX-POS  <  36.0 
Cj(BOX-POS)  <  BOX-UKC  <  C^(BOX-POS) 


where 

et{ x)  =  max(0.0002215x  -  0.043262, 0.0009857x  -  0.063329) 
e*(x )  =  min(0. 043262  —  0.0002253x,  0.063329  -  0.0009895x). 

For  plan  13  the  initial  states  of  the  world  can  be  represented  by  the  sets 

P  =  {  BOX-POS  } 

U  —  {  BOX-UNC,  LID-UHC  }, 

the  associations 

box: position  =  BOX-POS  +  BOX-UIC 
Jid.-position  —  BOX-POS  -f  LID-USC 
and  C ;  consisting  of  the  constraints 

12.0  <  BOX-POS  <36.0 
Cj(BOX-POS)  <  LID- UXC  <  e^(BOX-POS) 
ej(BOX-POS)  <  BQX-UHC  <  e^(BOX-POS). 


3.3.2  Action. 

Associated  with  an  action  are  certain  applicability  pro-  conditions.  The  robot  planner 
generates  these  conditions  as  sufficient  to  ensure  that  the  geometric  consequences  of  the 
action  will  correspond  to  the  modelled  consequences.  Some  or  these  constraints  might  be 
purely  geometric.  For  example  an  insertion  action  requires  the  existence  of  a  hole.  It 
is  assumed  that  the  robot  planner  has  ensured  such  prerequisites  and  can  transmit  the 
identity  of  such  geometric  features  to  the  plan  checker.  In  addition  to  the  gross  geometric 
aspects  there  may  be  certain  finer  details  which  can  be  conveniently  expressed  in  terms  of 
parameters.  For  instance  in  the  insertion  task  of  section  2.1  there  was  a  condition  that  the 
tip  of  the  screw  lie  within  the  circumference  of  the  hole.  This  is  an  abstract  pre-condition 
for  the  applicablity  of  the  insertion  action.  In  the  example  it  was  translated  in  two  steps 
into  conditions  on  the  plan  and  uncertainty  variables.  Firstly  it  was  expressed  as 

yf(Ax)2  +  (Ay)2  <  HOLE-RADIUS 
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and  then  as  a  much  more  complex  expression  as  the  quantities  Az  and  Ay  were  related  to 
quantities  representing  the  state  or  the  world. 

The  plan  checker  model  of  this  paper  assumes  that  the  robot  planner  carries  out  the 
geometric  interpretation  of  the  abstract  action  applicability  conditions  into  constraints  on 
the  plan  and  uncertainty  variables.  Let  that  set  be  Cj  for  applicability  constraints.  Note 
that  support(C a)  C  P  U  V. 

For  plan  A  the  abstract  applicability  condition  is  that  the  lid  be  moved  to  some 
place  in  the  workspace  of  the  manipulator.  Since  the  lid  is  to  moved  to  physical  position 
iid.-posltion  then  the  condition  can  be  expressed  as 

12.0  <  nominal(lid: position)  <  36.0 

which  becomes 

12.0  <  LID-POS  <  36.0 
which  is  the  single  member  of  the  set  C/. 

For  plan  B  it  is  necessary  that  the  center  of  gravity  of  the  lid  be  above  the  extent  of 
the  box.  Since  the  box  is  two  inches  wide,  and  its  coordinate  system  has  the  origin  in  the 
center  of  the  box,  and  similarly  for  the  lid,  the  condition  can  be  expressed  as 

—1.0  <  lid: position  —  box.-posltion  <  1.0 

which  becomes 

— 1.0  <  LID-UNC  —  B0X-UNC  <1.0 
which  iB  the  single  member  of  the  set  C /. 

3.3.3  Final  state. 

The  final  state  of  the  world  is  similar  to  the  initial  state  in  that  it  is  represented  by 
variable  sets,  associations  of  expressions  and  named  physical  quantities  and  constraints  on 
the  variables. 
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The  action  of  a  plan  transforms  the  initial  state  into  the  final  state.  Sometimes 
the  action  is  modeled  purely  geometrically,  as  in  the  insertion  example  of  section  2.1. 
Sometimes  it  will  introduce  new  uncertainties  into  the  world.  Plan  A  moves  the  lid  to  a 
position  with  uncertainty  determined  by  the  position  uncertainty  of  the  manipulator  arm. 

Let  V  be  the  set  of  introduced  uncertainty  variables.  Members  of  V  model  uncer¬ 
tainties,  not  present  in  the  world  before  the  application  of  the  action,  which  arc  a  result  of 
the  action  itself. 

The  results  of  an  action  can  not,  in  general,  be  modelled  precisely.  This  is  the  souce  of 
uncertainty  in  the  plan  checker’s  model  of  the  world.  Thus  the  action  can  not  be  modeled 
as  a  simple  function  from  the  set  of  initial  states  to  the  set  of  final  states.  Instead  the 
geometry  of  the  action  is  captured  by  a  set  Cg,  where  snpport(Cg)  C  P  U  U  U  V,  which 
relates  the  initial  state  of  the  world  to  the  introduced  uncertainties.  Thus  the  possible  final 
states  of  the  world  are 

sat(Cj  U  C^,P  U  f/  U  P). 

If  the  geometry  constraints  correspond  to  a  physically  realizable  action,  then  for  every 
initial  state  where  the  action  is  applicable,  it  should  be  the  case  that  there  is  a  final  state 
that  satisfies  the  constraints  of  the  geometry.  Thus  the  geometry  constraints  Cg  must 
satisfy  the  physical  realizability  condition 

proj{P  U  U  U  V,P\jU,sat{C:  U  Cj  UCg,PUU  UP))  —  sat(C;  \JCa,PUV)  (R). 


As  an  example  the  geometric  constraint  set  Cj  associated  with  the  action  of  plan  A 
consists  of  the  singleton 


ej(BOX-POS)  <  LID-UMC  <  e^(BOX-POS) 

where  the  introduced  uncertainty  variable  set  is  v  —  {  LID-UMC  }.  The  introduced  association 
is  that 

lid: position  =  BCX-POS  -f  LID-UXC. 
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3.3.4  Summary. 


In  summary,  a  plan  is  specified  by  its  geometry  g  and  by  three  sets  of  variables 

P  plan  variables 
U  initial  uncertainties 
V  introduced  uncertainties 
subject  to  three  sets  of  constraints: 

C;  initial  constraints  aupport(Cj)C  P  UU 

C jt  applicability  constraints  auppor i(C>t)C  P  U  U 

Cg  geometry  of  action  aupport{Cg)C  P  U  U  U  V 

A  plan  with  geometry  g  is  written  as  an  7-tuple  (g,P,U,V,Ci,CA,Cg).  Note  that  the 
geometry  g  includes  the  associations  of  named  physical  quantities  and  algebraic  expressions 
to  represent  them. 

3.4  Acceptable  plans. 

0* 

The  role  of  a  plan  checker  is  to  decide  whether  a  plan  will  work  and  produce  the 
desired  result.  The  mathematical  criteria  for  these  objectives  are  easily  stated  in  terms 
of  the  model  developed  above  for  plans.  They  are  stated  below.  There  is  however  some 
difficulty  in  translating  these  abstract  criteria  into  algorithms.  Sections  4  and  5  develop  a 
general  approach  and  describe  a  particular  algorithm. 

3.4.1  The  action  must  be  applicable. 

The  geometric  constraints  Cg,  describing  the  effect  of  the  action  on  the  initial  state  of 
the  world  are  valid  only  if  the  applicability  conditions  are  satisfied.  Thus  to  guarantee  that 
the  final  state  of  the  world  meets  the  derived  constraints  it  must  be  that  the  applicability 
conditions  arc  satisfied  for  all  possible  initial  states.  Thus 

aat{Ci,P  U  l/)  C  sot(Cr  UC/,PU  U).  (A) 
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3.4.2  The  final  state  must  be  reasonable. 


The  plan  used  for  a  single  planning  island  must  leave  the  world  in  a  state  that  is 
feasible  for  the  next  island  in  the  planning  chain.  Thus  a  goal  condition  can  be  formulated 
for  a  plan:  givun  any  valid  initial  state  a  plan  should  produce  a  state  of  the  world  that  is  a 
vaild  initial  state  for  the  next  plan. 

Suppose  that  the  next  planning  island  in  the  chain  has  an  initial  state  described  by  a 
set  of  plan  variables  P* ,  a  set  of  uncertainties  U‘  and  initial  constraints  Cj. 

In  a  simple  model  of  planning  one  could  demand  that  P  =  P*  and  U  U  V  —  U* .  The 
goal  condition  for  a  successful  plan  then  becomes 

sat(Cj  U  C(j,P  U  bf  U  V')  C  sat(Cj,P*  U  U*)  =  saf(C},PU  t/  U  V). 


In  a  realistic  planning  sytem  that  assumption  can  not  be  made.  Variables  can  both  be 
introduced  and  removed  at  various  points  along  the  temporal  sequence  from  plan  island  to 
plan  island. 

Variables,  including  plan  variables,  are  introduced  by  sensing  operations.  Examples 
of  this  are  seen  below  in  sections  3.5  and  4.2.  This  type  of  variable  introduction  does  not 
afreet  the  goal  condition  statement,  as  the  variables  are  not  used  in  the  description  of  the 
initial  state  of  the  plan  in  which  they  are  introduced. 

Variables  may  be  introduced  for  a  second  reason.  To  decrease  the  complexity  of 
analysis  of  plan  islands,  it  might  be  the  case  that  aspects  of  the  geometry  of  the  initial 
state  of  the  world  are  ignored  until  the  first  plan  step  in  which  they  are  relevant.  In 
this  case  the  introduced  variables  must  be  independent  of  the  state  of  the  world  described 
by  the  results  of  the  previous  actions.  The  introduction  of  such  variables  considerably 
complicates  the  statement  of  the  goal  condition,  but  in  reality  add  little  to  its  meaning, 
nor  to  the  implementation  of  algorithms  to  check  that  the  condition  is  met.  Therefore  the 


remainder  of  this  paper  assumes  that  ail  aspects  of  the  world  geometry  are  modeled  from 
the  initial  state  of  the  world,  and  propagated  through  all  actions.  In  an  implementation  of 
the  algorithms  presented  later  in  this  paper  it  is  easy  to  add  in  this  aid  to  efficiency. 

Variables  are  removed  when  all  named  physical  quantities  with  which  they  arc  as¬ 
sociated  become  meaningless.  For  instance  if  an  object  is  put  down  at  some  temporary  loca¬ 
tion,  then  picked  up,  the  variables  which  describe  its  temporary  location  have  no  geometric 
meaning  in  the  resultant  state  of  the  world.  Such  variables  are  removed  from  the  descrip¬ 
tions  of  the  world  state  of  all  following  plan  islands.  ThU  convention  is  assumed  to  aid  in 
the  decoupling  of  planning  islands.  It  may  mean  that  a  sequence  of  plans,  for  which  a  valid 
set  of  plan  variables  can  be  chosen,  might  be  rejected  due  to  failure  to  understand  subtle 
interactions  of  uncertainty  dependence  between  plan  islands.  This  paper  assumes  that  the 
increased  eiTiciency  derived  from  the  decoupling  allows  extra  planning  effort,  to  find  better 
structured  plans  in  such  obscure  cases. 

It  can  thus  be  assumed  that  P*  C  P  and  £/*  C  U  \JV .  The  goal  condition  now 
becomes 

proj(P\jU\jV,P*\jU\sat[Ci\jCg,P\jU\jV))  C  sat(Cj,P‘ U  f/*).  (G) 

3.4.3  Sound  plans. 

DEFINITION:  A  plan  (g,  P,  U,  V,  C;,  Cj,  Cp)  whose  following  plan  has  initial  state 
described  by  P*,  U*  and  C}  is  called  sound  if  both  conditions  (A)  and  (G)  are  true.  | 

The  goal  of  a  plan  checker  is  to  either  certify  that  a  plan  is  sound  or  modify  it  so  that 
it  is  sound.  A  sound  plan  is  illustrated  in  figure  8. 

3.5  What  a  sensor  is. 

A  sensor  is  used  to  measure  a  quantity  in  the  real  world.  All  sensors  are  subject  to 
measurement  errors.  A  plan  checker  must  have  a  realistic  model  of  a  sensor  and  its  error 
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Figure  8.  A  sound  plan  has  an  action  which  is  applicable  for  all  possible  initial  states,  and 
which  produces  a  final  state  expected  by  the  following  plan. 
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characteristics  in  order  to  be  able  to  plan  the  use  of  a  sensor  and  to  realize  the  consequences 
of  such  use. 

3.5.1  Measurable  quantities. 

A  quantity  which  can  be  measured  must  be  geometrically  represented  as  an  expression 
in  named  physical  quantities.  In  addition  a  sensor  which  can  carry  out  the  measurement 
must  be  available. 

Suppose  e  is  the  expression  in  named  physical  quantities,  and  /  the  result  of  susbstitut- 
ing  in  e  for  the  representations  of  the  named  physical  quantitities  in  a  plan 

(g,P,U,V,  C:,CA,C$). 

Then  support(f)  Q  P\jU.  Expression  /  can  be  broken  into  the  sum  of  a  nominal  expression 
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n  and  and  uncertainty  expression  u  by  writing 

n  =l/]u(°i/) 
u=f-\f)u(0u). 

Thus  the  uncertainty  in  /  is  zero  if  the  uncertainties  in  all  the  named  physical  quantities 
in  the  support  of  e  are  also  zero.  Note  that 

Bupport(n)CP 
support(u)CP  U  U. 

Typical  examples  of  geometrically  measurable  quantities  are  the  length  of  an  object, 
the  coordinates  of  the  position  of  a  detectable  feature  on  an  object,  the  orientation  of  an 
object  or  the  area  covered  by  an  object  on  a  back  lighted  table. 

For  example  consider  a  flat  rectangular  object  whose  length,  objrct:length,  is  repre¬ 
sented  as 

LENGTH  +  LENGTH-UNC 

and  width,  object.-width,  as 

WIDTH  +  WIDTH-UNC 

where  LENGTH  and  WIDTH  arc  plan  variables,  and  the  others  uncertainty  variables.  Then  with 
a  suitable  sensor  the  length  of  the  object  could  be  measured  and  in  that  case 

n  =  LENGTH 
U  —  LENGTH-UNC. 

If  there  is  a  vision  system  available  which  can  measure  blob  areas,  then  perhaps  the  area 
of  the  top  of  the  object  could  be  measured.  Then 

n  =  LENGTH  X  WIDTH 
u  = LENGTH  X  WIDTH-UNC 

+ WIDTH  X  LENGTH-UNC 
-f  LENGTH-UNC  X  WIDTH-UNC. 
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3.5.2  Sensor  error  is  a  source  of  uncertainty. 

Any  sensor  s  capable  of  measuring  a  geometric  quantity  modelled  by  the  expression 
n  -j-  tt  inherently  provides  a  measurement  which  is  subject  to  error.  Thus  it  provides  a 
measurement  which  is  the  true  value  of  the  quantity  in  the  real  world  plus  some  error  term. 

A  sensor  s  is  modelled  algebraically  by  two  error  expressions,  namely  l,  and  ra  (for 
left  and  right),  where 

support^,,)  =  s upport(r9)  —  {  READING,  }. 

A  modelled  sensor  s  can  be  read  by  evaluating  READ(s)  (recall  that  uppercase  function 
names  correspond  to  functions  for  which  there  is  a  piece  of  computer  code  somewhere). 
This  is  the  nominal  value  returned  by  the  sensor.  If  correctly  modelled  then  the  actual 
physical  value  v  of  what  is  being  measured  lies  somewhere  within  an  error  range  of  this 
nominal  value.  Let 

m  =  READ(s) 

then 

m  +  Hs]{  READING,  }(rn)  <  V  <  m  •+■  M{  READING.  }M- 

(Recall  that  the  notation  [ls]{ READING, }  is  a  X  -expression  which  turns  ls  from  an  expression 
over  one  variable  into  a  function  of  one  argument.)  Thus  a  sensor  can  have  an  error 
dependent  on  the  value  it  measures.  This  corresponds  well  to  most  physical  sensors; 
especially  those  that  are  non-linear.  Often,  of  course  the  error  expressions  will  be  constants. 

As  an  example,  consider  a  sensor  s  which  delivers  a  reading  with  ilO%  error.  Then 

—  I,  ~rs  —  0.1  X  READING,. 


Consider  figure  figure  9.  A  sensor  is  being  used  to  read  a  value  for  the  named  physical 
quantity  box  .-position.  It  is  represented  as  before  by  the  expression 

B0X-P0S  +  BOX-UNC. 
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Figure  9.  A  sensor  produces  a  bound  on  possible  physical  values.  The  correct  nominal 
value  lies  somewhere  in  the  bounded  part  of  the  plan  variable  axis  (refer  to  figure  7).  The 
shaded  region  gives  the  valid  representations  of  the  physical  situation. 


The  sensor  puts  a  bound  on  the  actual  value  of  box:position.  Recall  that  a  given  physical 
value  can  be  represented  by  any  point  on  a  line  with  slope  —  1  in  a  diagram  such  as  figure 
9.  Thus  all  such  lines  which  go  through  the  bounded  region  of  the  horizontal  axis  comprise 
the  set  of  possible  realities  which  are  consistent  with  the  sensor  reading.  It  makes  no  sense 
to  choose  a  value  for  DOX-POS  which  is  outside  the  bounded  region.  Thus  any  representation 
of  the  physical  situation  which  is  consistent  with  the  sensor  reading  should  be  a  point  in 
the  shaded  region  of  the  figure.  At  plan  execution  time  the  sensor  reading  can  be  used  to 
constrain  the  variables  B0X-P03  and  BQX-UNC  to  define  a  point  in  this  region. 

The  sensor  error  expressions  are  used  in  different  ways  by  the  plan  checker  and  the 
robot  controller.  The  plan  checker  uses  them  to  generate  symbolic  bounds  on  the  errors 
that  will  be  inherent  in  nominal  values  chosen  for  plan  variables  at  execution  time.  The 
robot  controller  uses  them  to  generate  numeric  bounds  on  the  actual  sensor  readings  so 
that  it  can  choose  a  set  of  nominal  values  Tor  the  plan  variables  which  are  consistent  with 
all  sensor  readings  and  with  the  state  of  the  world  known  from  previous  steps  in  the  plan. 


4.  What  A  Plan  Checker  Can  Do 


Given  plana  P  and  P*  where 

P=(g,P,U,V,Ci,  CA,C$) 

P'  =(ff>\(/\V*, C^C^Cj) 

and  plan  P*  immediately  follows  P  in  the  planning  island  chain,  a  plan  checker  could  decide 
if  P  was  sound  by  checking  whether  the  conditions  (A)  and  (G)  were  satisfied. 

Such  an  approach  requires  the  comparison  of  satisfying  sets  of  different  sets  of  con¬ 
straints.  ft  can  be  quite  difficult  to  explicitly  compute  satisfying  sets  whenever  non-linear 
constraints  are  involved,  and  it  is  also  difficult  to  compare  them.  In  addition  simple  failure 
to  meet  one  of  the  conditions  (A)  or  (G)  may  give  no  hint  as  to  how  to  modify  the  plan  so 
that  it  can  succeed.  In  general  it  is  easier  for  a  plan  checker  to  modify  a  plan  to  guarantee 
that  the  modified  plan  is  sound,  rather  than  trying  to  decide  whether  a  given  plan  is  already 
sound. 

The  easiest  way  to  modify  a  plan  is  to  put  extra  constraints  on  the  plan  variables. 
Values  must  be  chosen  for  those  variables  before  execution  time,  and  the  plan  checker  can 
often  guarantee  that  the  plan  will  work  by  Bimply  constraining  those  choices.  If  that  fails 
it  may  be  necessary  to  introduce  sensing  into  the  plan.  Section  4.2  gives  an  analysis  of 
the  effects  of  sensing  on  a  plan.  Sensing  essentially  decreases  the  uncertainty  in  the  world, 
so  more  constraints  can  be  added  to  the  initial  state  of  the  world  to  reflect  the  increased 
knowledge  that  the  robot  controller  will  have  at  plan  execution  time.  Section  4.3  relates 
certain  properties  of  these  various  sets  of  additional  constraints  to  the  six  possible  outcomes 
for  checking  a  plan  given  in  section  1.2. 

4.1  Concurrently  checking  and  rescuing  a  plan. 

The  method  proposed  here  requires  a  plan  checker  to  construct  an  additional  set  of 
constraints  C*  (the  M  is  for  new  constraints),  whore  support( C  v)  C  Pl)U ,  such  that  the 
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plan 

(g,P,U ,A,Cj  U  C jy,  Cyi,  C$) 

is  sound. 

The  performance  of  a  plan  checker  can  be  measured  in  terms  of  the  properties  of  the  set 
C  h  which  it  is  able  to  compute.  Some  care  must  be  taken  in  computing  Cm  to  avoid  wishful 
thinking  where  the  constraints  on  certain  of  the  variables  are  physically  unrealizable.  It 
is  best  to  avoid  making  unforced  decisions  at  any  given  plan  island  so  a  minimal  Cm  is 
desirable.  Below  a  minimality  condition  is  defined  for  Cm- 

4.1.1  Wishful  thinking. 

The  set  Cm  can  not  be  chosen  arbitrarily.  It  is  easy  to  construct  constraints  which 
contain  hidden  wishful  thoughts  about  the  initial  state  of  the  world. 

Unless  some  specific  sensing  operation  is  to  be  added  to  the  plan,  or  some  previous  steps 
of  the  plan  are  to  be  re- planned  to  meet  new  initial  uncertainty  constraints,  C M  should  not 
constrain  any  initial  uncertainties  for  any  set  of  values  for  the  planning  variables  P  which 
is  valid  in  both  the  old  plan  and  the  new.  I.e.  the  following  condition  must  be  true. 

Vp  €  proj{P  U  V,  P,  sat(Cj  U  C* ,  P  U  U)),  (4.1 .1) 

lift[P\jU,P,p)f)sat{Ci  UCm,P\JU)  =  Uft{P\jU,P,p)C\8at(C:,P\jU) 

This  condition  is  easily  satisified  when  support(C^)  C  P.  In  fact  there  is  an  equivalent  set 
of  constraints  with  support  contained  in  P  whenever  the  above  condition  is  satisfied. 

Thus  a  plan  checker  should  first  try  to  compute  a  set  or  constraints  Cm  such  that  the 
new  plan  is  sound  and  support{CM )  Q  P-  If  it  fails  to  do  that,  it  can  try  to  compute  a 
set  Cm  where  support(C m)  C  P  U  U,  so  long  as  there  exist  sensing  operations  which  will 
enable  the  initial  state  of  the  world  to  be  determined  within  the  uncertainty  requirements 
imposed  by  C  m  •  A  prerequisite  for  this  is  that  the  uncertainty  requirements  be  physically 
realisable. 
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For  instance,  consider  the  measurable  quantity  box.posltlon  from  plan  A  represented 
by  the  expression 


BOX-POS  -f  BOX-UNC. 


It  may  be  that  the  constraints  C yt  imply  that  for  the  plan  to  succeed  it  must  be  the  case 

that 


BOX-UNC  £  [—0.05, 0.075). 


The  desired  sensing  operation  would  be  physically  realisable  with  a  sensing  device  having 
an  accuracy  of  ±0.05.  However  it  is  highly  unlikely  that 


BOX-UNC  e  (0.125,0.25) 


could  ever  be  physically  realizable.  Such  a  range  simply  does  not  make  sense  as  an  error 
estimate  for  a  sensor. 


4.1.2  Minimality  of  additional  constraints. 

The  new  constraints  C m  narrow  down  the  set  of  possible  initial  states  since 
sat[ C;  UCv.PUt/)  C  sat{C:,P\jU). 


A  desirable  property  of  the  set  of  new  constraints  C*  is  that  it  remove  the  minimal 
number  of  allowable  initial  states  of  the  world  at  the  same  time  as  they  ensure  that  the 
plan  will  work.  This  is  equivalent  to  arguing  Tor  a  maximal  satisfying  set  of  C;  lIC*.  Note 
that  this  is  in  no  sense  a  condition  of  the  complexity  or  size  of  expression  or  the  constraints, 
but  rather  on  their  effect.  It  is  a  desirable  property  because  it  allows  maximal  freedom  in 
detailed  planning  concerning  the  other  planning  islands  in  the  overall  plan.  It  provides  the 
least  constraint  on  the  rest  of  the  plan. 


The  performance  of  plan  checkers  can  be  compared  more  formally  as  follows.  If  t  wo 
plan  checkers  fix  a  plan  by  responding  with  the  same  outcome  amongst  1  through  6  of 
section  1.2,  but  with  different  sets  of  additional  constraints,  C*,  and  C*,  say,  then  C  v,  is 


smaller  (or  more  preferable)  than  C  >/,  if 


sat(Cj  UC^.PUl/)  C  aat[C]  \jC>,ltP\jU). 

Note  that  not  all  pairs  C and  C m,  are  necessarily  comparable. 

Since  outcome  1  is  more  preferable  than  outcome  6  (and  in  general  lower  numbers  are 
more  preferable  than  higher)  a  partial  order  on  responses  by  a  plan  checker  to  a  plan  has 
been  defined.  This  is  however  only  a  partial  order  and  so  it  can  not  be  used  to  determine 
the  best  response  to  a  given  plan.  That  depends  on  how  the  planning  island  to  which  the 
plan  corresponds  interacts  with  all  the  other  planning  islands  in  the  overall  plan  space. 

4.2  Planning  to  U8e  a  sensor. 

Suppose  the  plan  checker  can  not  find  a  set  C>/  with  support(C  v )  C  P  which  ensures 
the  plan  will  work.  In  principle,  the  plan  checker  should  search  for  a  set  such  that 
support(Cy/)  C  P  U  U  and  such  that  there  exist  sensors  which  can  determine  the  state 
of  the  world  at  plan  execution  time  to  within  the  accuracy  required  by  C#.  Sensing, 
however,  introduces  new  uncertainties  and  new  nominal  values.  Therefore  it  is  necessary 
to  restructure  the  representation  of  the  plan  with  sensing  to  reflect  the  new  variable  sets. 

4.2.1  New  variables  must  be  introduced. 

Refer  to  figure  4.  The  world  has  an  initial  state.  A  sense  operation  is  carried  out.  The 
robot  controller  interprets  the  Bensc  operation  by  choosing  some  nominal  values  for  plan 
variables,  and  then  the  plan  proceeds  as  in  the  simple  case  of  figure  3. 

The  goal  of  a  sensing  operation  is  to  choose  new  nominal  values  for  named  physical 
quantities.  To  fit  this  with  the  variable  and  constraint  formalism  used  here  it  is  necessary 
to  choose  new  names  for  all  sensed  quantities.  Thus  for  each  named  physical  quantity 
which  appears  in  an  expression  describing  a  physical  quantity  to  be  sensed,  an  «v  plan  and 
uncertainty  variable  pair  must  be  chosen. 
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Suppose  that  in  plan  A  it  is  decided  to  sense  the  physical  quantity  box.'position. 
Originally  it  is  represented  by  the  expression 

BOX-POS  -f  BOX-UNC. 

Let  the  new  plan  variable  be  BOX-SENSE-POS  and  let  the  new  uncertainty  variable  be 
BOX-SENSE-UNC.  The  new  representation  of  the  physical  quantity  will  be 

BOX-SENSE-POS  -f  BOX-SENSE-UNC. 

Since  both  are  representations  of  the  same  physical  quantities  the  constraint 

BOX-POS  4-  BOX-UNC  =  BOX-SENSE-POS  +  BOX-SENSE-UNC 

can  be  assumed  even  at  plan  time.  Similar  restructuring  takes  place  when  the  quantity  to 
be  sensed  is  not  a  single  named  physical  quantity,  but  rather  derived  from  an  expression 
in  named  physical  quantities,  such  as  the  area  of  the  top  of  the  box  in  section  3.5. 

4.2.2  Constraints  implied  by  a  sense  operation. 

Recall  from  section  3.5  an  expression  /  which  is  the  representation  in  terms  of  plan 
and  uncertainty  variables  of  a  physical  quantity  to  be  measured,  can  be  decomposed  into 
the  sum  of  a  nominal  expression  and  an  uncertainty  expression  as 

/  =  n  +  it. 

Similarly  let  o  -f  v  be  the  expression  in  the  original  variables  which  it  is  replacing,  where 
o  is  the  nominal  component  and  v  the  uncertainty  component.  Since  the  old  and  new 
expressions  represent  the  same  physical  quantity,  the  constraint 

n -f  u  =  o  +  v  (4.3.1) 

must  hold. 

A  sensor  reading  at  execution  time  provides  a  nominal  value  for  the  expression  n.  I.e 
the  robot  controller  can  interpret  a  sensor  reading  of  m  by  assuming  the  constraint 


W{READINt.}(”»)  <  n  <  m  -f  |r,J{  READING.  >(m)- 


AH  such  constraints  will  be  combined  (also  with  constraints  already  known)  and  the  robot 
controller  will  choose  consistent  nominal  values  for  all  the  plan  variables  P. 

But  why  not  simply  use  the  nominal  value  returned  by  the  sensor  as  the  nominal  value 
for  expression  n  at  plan  execution  time?  There  is  a  problem  with  consistency  of  multiple 
sensor  readings.  Since  each  individual  sensor  has  errors  in  its  measurement,  if  more  than 
one  sensor  is  used  to  measure  values  for  non-independent  expressions  then  the  nominal 
sensor  values  will  usually  be  inconsistent  if  used  as  the  nominal  values  for  the  expressions. 

Given  that  the  robot  controller  will  not  use  the  nominal  value  returned  by  sensors 
directly,  it  is  not  possible  to  use  the  sensor  error  characterization  directly  to  constrain  the 
a  priori  runtime  uncertainty  of  using  a  Bcnsor.  The  analysis  below  proceeds  as  follows.  First 
the  range  of  possible  sensor  readings  is  characterized,  then  the  possible  interpretations  of 
each  reading  are  characterized  as  in  figure  4.  From  that  an  a  priori  uncertainty  can  be 
deduced. 

First  consider  the  range  of  possible  sensor  readings  which  might  be  returned.  The 
actual  physical  quantity  a  priori  modelled  by  o-f  v  must  lie  in  the  error  range  sensed.  Thus 

m  4  BEADING.  }(H  <  o  4  V  <  m  +  [r,]{  READING.  }("0-  (4.3.2) 

Let  m  be  replaced  by  a  new  plan  variable  READING,.  At  plan  execution  time  an  exact 
value  can  be  obtained  for  this  plan  variable.  Recall  that  /,  and  r,  are  expressions  in 
READING,.  Then  the  above  constraint  becomes 

READING,  -f  /,  <  0  +  V  <  READING,  4*  *$•  (4.3.3) 

The  nominal  value  to  be  chosen  for  n  by  the  robot  controller  ensures  that 
READING,  4  <  n  <  READING,  4  r, 

giving 

READING,  41,  <  READING,  4  f,  —  U 

READING,  4  1,  “  u  <  READING,  4  r. 


so  that 

l,-r.<u<ra- ls.  (4.3.4) 

Recall  that  la  and  ra  are  expressions  involving  READING,. 

This  last  constraint  reduces  the  uncertainty  u  in  terniB  of  READING,  which  is  itself 
constrained  in  terms  of  the  original  model  by  (4.3.3).  Together  with  (4.3.1)  this  also 
constrains  the  possible  range  of  n. 

In  the  special  case  that  the  expressions  la  and  r,  arc  independent  of  the  variable 
READING,  (c.g.  for  a  sensor  that  has  constant  error  characteristics  over  its  whole  range) 
there  is  no  need  to  introduce  READING,  as  a  plan  variable,  and  constraints  (4.3.1)  and  (4.3.4) 
suffice  to  constrain  the  possible  values  which  will  be  chosen  for  n,  and  for  characterizing 
the  uncertainty  u. 

At  first  sight  (4.3.4)  seems  to  underconstrain  the  uncertainty  u.  Recall,  however,  that 
it  is  the  uncertainty  at  plan  time  in  the  derivation  of  n  in  terms  of  o,  given  that  the  plan 
checker  has  no  knowledge  of  the  algorithm  the  robot  controller  will  use  in  determining 
a  consistent  set  of  nominal  values.  The  implemented  plan  checker  described  in  section  5 
makes  better  use  of  the  accuracy  of  available  sensors  by  introducing  three  complications. 
First  it  assumes  that  all  constraints  are  “well  behaved”  in  some  sense  and  that  the  plan 
checker  can  determine  at  plan  time  all  discontinuities  in  the  valid  values  for  a  plan  variable 
derived  from  a  sense  operation.  Secondly  it  plans  Bousing  operations  one  at  a  time,  with  an 
interpretation  phase  interposed  between  any  two  of  them.  Thirdly  it  conservatively  adds 
constraints  to  C;  which  ensure  that  the  robot  controller  can  use  the  nominal  value  returned 
by  the  sensor  as  the  nominal  value  for  the  physical  quantity  being  measured. 

4.2.3  The  restructured  plan. 

Let  P+  2  P  include  introduced  plan  variables,  and  U*  D  U  include  the  introduced 
uncertainty  variables.  Also  include  in  P +  any  variables  READING,  associated  with  sensor  s 
when  either  la  or  r,  included  it  in  their  supports. 
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The  new  expressions  associated  with  some  of  the  named  physical  quantities  in  the 
goemetry  g  of  a  plan  {g,  P,  U,  V,Cj,Cd,Cj;)  make  it  necessary  to  reconstruct  the  constraint 
sets  CA  and  Cg.  Let  the  new  versions  be  Cj~  and  C^".  Their  supports  do  not  contain  any 
variables  from  P  and  U  associated  with  a  named  physical  quantity  which  is  in  an  expression 
whose  value  will  be  sensed.  Let  be  the  geometry  g,  along  with  the  new  associations  of 
expressions  and  named  physical  quantities. 

Let  C$  be  the  set  of  constraints  on  the  new  variables  which  can  be  deduced  at  plan 
time.  Each  sensor  contributes  either  two  or  three  constraints,  A  sensor  with  error  dependent 
on  its  reading  contributes  cpnstraints  (4.3.1),  (4.3.3)  and  (4.3.4).  A  sensor  with  independent 
error  contributes  only  (4.3.1)  and  (4.3.4).  Clearly 

support^ Cs)  C  P+ 


The  restructured  part  of  the  plan  which  follows  sensing  can  now  be  written  as 

P+  =(g+,P+,u+,v,ct,ct,cp 

where  Cj-  =  Cj  U  Cs-  Once  constructed  it  can  be  analyzed  and  checked  by  the  plan 
checker  in  almost  the  same  manner  as  the  original  plan. 

The  only  way  in  which  the  resulting  plan  must  be  treated  differently  from  any  other 
plan  is  that  a  constructed  set  of  constraints  C yj  may  not  constrain  any  introduced  plan 
variables  in  the  set  P+  —  P.  The  implemented  plan  checker  described  in  section  5  actually 
keeps  track  of  such  variables  separately,  .and  constructs  sets  C m  with  support  in  the  original 
set  P.  Any  constraints  on  the  introduced  variables  are  thus  expressed  in  terms  of  constraints 
on  the  original  variables.  A  formal  notation  for  this  representation  has  not  been  introduced, 
in  the  interests  of  clarity  and  brevity. 

4.2.4  The  robot  controller  interprets  multiple  sensors. 

At  plan  execution  time  the  robot  controller  makes  measurements  using  all  the 
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prescribed  sensors.  It  then  must  interpret  the  values  in  order  to  choose  a  set  of  nominal 
values  for  various,  physical  parameters,  which  will  be  used  to  carry  out  the  planned  actions. 


The  plan  checker  sets  the  stage  for  the  execution  time  sensor  interpretation  by  con¬ 
structing  a  set  of  constraints  which  must  be  satisfied  by  the  new  nominal  values  to  be 
chosen  for  plaa  variables  in  P+  —  P. 

A  slight  extension  of  previous  notation  needs  to  be  introduced.  Given  a  set  of  con¬ 
straints  C,  a  set  of  variables  A  and  a  point  a  £  space[A),  then 

IPUM 

is  the  set  of  constraints  C  partially  evaluated  at  the  point  a. 

Let  M  be  the  set  of  all  forma]  variables  READING,,  one  associated  with  each  sensor  « 
to  be  used.  (Note  that  M  and  P'^  may  have  non-empty  intersection.)  Let  C*  be  a  set  of 
constraints  of  the  form 

READING,  -f  1,  <  n  <  READINC,  +  r,. 

There  is  one  such  constraint  for  each  nominal  expressions  n  being  sensed  by  sensor  s. 

Now  consider  the  situation  at  plan  execution  time.  The  plan  variables  in  P  already 
have  nominal  values  assigned  to  them.  Let  p  £  space(P)  represent  those  assignments.  The 
sensors  are  all  read.  The  result  is  a  point  m  £  M.  (Recall  that  the  error  characteristics  of 
the  sensors  are  encapsulated  in  the  constraints  set  C$.)  The  problem  then  is  to  determine 
a  set  of  nominal  values  for  the  variables  in  P+  —  P,  consistent  with  the  sensor  readings, 
the  constraints  derived  at  plan  time  and  the  nominal  values  already  chosen  for  variables  in 
P. 


The  robot  controller  can  find  a  set  of  consistent  nominal  values  for  all  plan  variables, 


by  choosing  a  point 


p+  £  space(P+) 


proj[P+,P,p+)  =  p 
and 

p+  £proj(P+  \jU+,P+,sat([  [C7  UCS  UCM|f>(p)]M(m)lP+  Ut/+)). 

The  first  of  these  two  requirements  simply  Bays  that  the  old  nominal  values  for  variables 
in  P  are  retained.  The  second  takes  into  account  the  sensor  readings  and  chooses  an 
interpretation  of  the  sensors  consistent  with  the  existing  constraints. 

4.2.5  Sensors  can  checkpoint  plans. 

Given  that  a  sense  operation  has  been  introduced  into  a  plan  it  is  possible  for  the  robot 
controller  to  check  that  the  sensor  readings  could  possibly  correspond  to  the  model  of  the 
world  used  by  the  robot  planner  and  the  plan  checker.  It  implicitly  must  do  this  in  order 
to  interpret  the  sensor  values  and  choose  nominal  values  for  the  quantities  being  measured. 
I.e.  it  implicity  checks  whether 

sat([  (Cj  U  Cs  U  CmMp)  ]M(m),P+  U  U+) 

contains  a  point  consistent  with  the  values  for  variables  in  P,  and  the  sensor  readings,  when 
searching  for  an  interpretation  of  the  sensor  values.  If  such  a  point  does  not  exist  then  the 
measurements  from  the  sensors  are  inconsistent  with  the  model  of  the  world. 

The  plan  checker  can  arrange  for  the  robot  controller  to  do  more  however.  The  robot 
controller  can  be  told  how  to  to  identify  which  sensor  readings  are  implausible  in  themselves. 

At  plan  time  the  plan  checker  can  include  in  P+  a  variable  READING,  Tor  each  sensor 
s,  independent  of  whether  l ,  and  r,  depend  on  that  variable,  and  include  a  constraint  of 
the  form  (4.3.3)  in  C$.  Then  it  can  compute  a  set  B,  where 

B,  2  proj(P+  Ut/  +  ,{  READING,  },Sflt(C;  UCs,P+  Ul/+))> 

Then  at  plan  execution  time  when  sensor  s  is  read,  and  a  value  m,  is  returned,  the  plan 
can  be  checked  by  testing  whether  m,  6  B»-  If  not,  then  the  planned  model  definitely  does 


not  fit  the  current  physical  situation.  Furthermore  the  identity  of  sensor  s  can  give  any 
error  recovery  system  a  handle  on  where  the  inconsistency  lies. 


4.3  How  additional  constraints  affect  the  plan. 

In  section  1.2  six  possible  outcomes  for  a  plan  checking  algorithm  were  outlined.  That 
grouping  was  somewhat  arbitrary  but  the  six  outcomes  are  maintained  here  to  explain  how 
different  properties  of  a  computed  set  Cy  can  be  used  to  characterize  what  can  be  done 
to  fix  a  plan.  The  mathematical  considerations  in  the  characterization  of  the  set  C y  are 
treated  for  the  six  outcomes  below. 

It  should  be  emphasized  the  the  particular  set  C  y  computed  by  a  plan  checker  depends 
on  the  plan  checker  itself.  Plan  checkers  differ  in  the  extent  to  which  they  need  to  alter  a 
plan  to  assure  themselves  that  it  will  work.  Such  differences  can  be  compared  if  costs  are 
ascribed  to  possible  alterations  to  a  plan.  The  issues  involved  will  not  be  addressed  in  this 
paper. 

4.3.1  What  the  plan  checker  does. 

The  plan  checker  is  given  a  plan  P.  It  computes  a  set  C*  of  additional  initial 
constraints  that  it  deems  necessary  to  guarantee  that  the  plan  is  sound.  If  support{ C j^)  C 
P  then  it  is  finished  and  the  final  plan  is 

(g,P,U,V,Cj  uCv»C>,Cp). 

Otherwise  the  plan  checker  introduces  sensing  into  the  plan  to  derive  plan  P  +  .  It  then 
computes  a  new  Bet  C^~  as  before  on  the  basis  of  P4'  resulting  in  a  final  plan 

(ff+  p+,u+,v,ciuct,c+,  Cj). 
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4.3.2  Six  outcomes. 


0* 


OUTCOME  1:  If  no  sensing  was  introduced,  support(Cu)  C  P  and  (A)  and  (G)  hold  then 
the  new  plan  is  sound  and  is  simply  the  given  plan  subject  to  some  extra  constraints  on 
the  plan  variables.  That  is  to  say,  some  of  the  as  yet  unresolved  decisions  concerning  the 
plan  have  been  further  constrained. 

Furthermore,  if 

C*=0 

or  more  generally 

sat(Cj  UCa/.PUI/)  =  sat(C;,PUf/} 

then  the  orginal  plan  is  the  same  as  the  new  one,  so  in  fact  the  original  plan  was  sound. 

OUTCOME  2:  Suppose  sensing  has  been  introduced,  (A)  and  (G)  are  true  for  the  new  plan 
and  sxipport[C^)  C  P+.  Then  the  plan  with  sensing  is  Bound. 

OUTCOME  3:  Suppose  sensing  has  been  introduced,  (A)and  (G)  are  true  for  the  new  plan, 
but  supporl(Cy)  0  P+,  while  support(C^)  C  P+  Uf/+.  In  this  case  plan  P  +  should 
be  rejected  and  the  plan  checker  should  back  up  to  the  original  plan  P  augmented  with 
C>.  Note  that  suppori(C >,)  P.  Now  the  previous  plan  islands  should  be  rechecked, 
but  with  Cj  U  Cj/  as  a  stronger  goal  constraint  than  previously  supplied.  Essentially  this 
strategy  will  force  sensing  to  be  carried  out  earlier  in  the  overall  plan  so  that  the  propagated 
uncertainty  that  reaches  this  plan  island  will  be  reduced. 

OUTCOME  4:  If  any  of  the  above  conditions  are  met,  except  that  (G)  does  not  hold,  then 
the  new  plan  is  physically  realizable  except  that  it  doesn’t  achieve  the  desired  goal.  The  set 
of  final  states  which  can  arise  should  be  propagated  forward  to  the  next  planning  island, 
in  the  hope  that  subsequent  sensing  and  actions  can  be  modified  to  handle  the  uncertainty 
introduced  at  this  step  of  the  plan. 

OUTCOME  5:  If  none  of  the  above  conditions  could  be  met  (e.g.  there  are  neither  powerful 


S3 


I 


I 


V 


i 


i 


enough  sense  operations  available  nor  could  the  planning  islands  before  and  ahead  of  this 
island  be  adapted  sufficiently)  then  the  plan  F  is  unworkable  in  the  context  of  the  global 
plan. 

OUTCOME  6:  If  «at([C j  U  P)  =  0  then  the  plan  is  unworkable  independently  of 

how  much  the  uncertainties  in  the  physical  system  can  be  reduced  by  sensing  operations. 
The  test  simply  asks  whether  the  constraints  are  satisfiable  even  with  zero  uncertainties. 
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5.  An  Algorithm  For  Dealing  with  Position  Errors  And  Toleranced  Parts 


© 


At  the  heart  of  a  plan  checker  there  must  be  a  system  which  can  reason  about 
constraints,  about  their  satisfying  sets,  and  about  the  projections  of  those  satisfying  sets 
into  subspaces. 

The  ACRONYM  (Brooks  (1981a))  system  used  such  a  constraint  manipulation  system 
to  reason  about  consistent  interpretations  of  image  features.  This  section  takes  a  constraint 
manipulation  system  of  the  form  used  by  ACRONYM  and  constructs  an  algorithm  for 
checking  the  algebraic  aspects  of  robot  plans.  It  is  capable  of  producing  five  of  the 
six  outcomes  previously  detailed.  In  particular  it  propagates  constraints  forwards  and 
backwards  amongst  planning  islands,  it  introduces  sensing  operations  when  necessary  and 
appropriate,  and  when  a  plan  is  rejected  it  gives  some  analysis  of  what  is  wrong  with  the 
plan.  Extending  it  to  include  the  sixth  possible  outcome  (outcome  4)  is  straightforward, 
but  the  extra  complexity  detracts  from  the  presentation  of  the  algorithm. 

Section  5.1  introduces  some  more  notation  concerning  satisfying  sets  of  sets  of  con¬ 
straints. 

Section  5.2  details  the  formal  properties  of  the  constraint  system  used  in  the  plan 
checker.  It  is  known  as  the  SUP-  INF  method.  These  properties  are  precisely  those  needed 
by  the  plan  checker  developed  through  the  rest  of  section  5.  Any  other  constraint  system 
with  these  properties  could  equally  be  used  as  the  core  of  the  plan  checking  algorithm.  The 
performance  of  the  constraint  system  (and  hence  the  algorithm)  is  not  formally  addressed. 
The  constraint  system  used  here  is  understood  formally  when  restricted  to  linear  sets  of 
constraints.  However  for  non-  linear  constraints  the  best  characterization  known  so  far  is 
informal  and  empirical.  Section  4.3  discusses  the  issue  of  comparison  of  performances  of 
plan  checking  algorithms. 

Section  5.3  introduces  an  important  sub-  procedure.  It  projects  a  set  of  constraints 
into  a  8ubspace,  over  the  satisfying  set  of  a  second  set  of  constraints.  This  procedure  is  the 
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workhorse  for  constructing  sets  C  v 

Section  5.4  describes  the  main  plan  checking  algorithm  based  on  the  SUP-INF  method. 
Section  5.5  details  how  the  SUP  INF  method  can  be  used  to  decide  which  physical  quantities 
need  to  be  sensed,  and  section  5.6  gives  a  detailed  example  of  the  plan  checker  on  the  four 
coupled  plans  introduced  in  section  2.2. 

5.1  More  notation. 


The  constraint  methods  used  at  the  core  of  the  plan  checking  algorithm  described  in 
the  following  sections  rely  6n  estimating  bounds  on  expressions  over  satisfying  sets  of  Bets  of 
constraints.  Some  additional  notation  is  convenient  in  order  to  characterize  their  behavior. 


DEFINITION:  Given  an  expression  e,  and  a  set  of  constraints  C,  let  W  —  suppori(e )  U 
support(C),  let  S  =  a(it{C,  W)  then  define 


lub(e,C)  —  sup[e]w(p) 
PCS 


glb(e,C)=  inf  (c]w(p). 

p€S 

Thus  lub(e,  C)  is  the  least  upper  bound  on  the  values  achieved  by  the  expression  e  over  the 
satisfying  set  of  the  constraints  C.  The  greatest  lower  bound  glb(e,  C)  is  defined  similary. 


5.2  The  computational  tools. 


Bledsoe  (1975)  introduced  what  he  called  the  SUP- INF  method,  to  determine  whether 
sets  or  linear  equalities  had  integer  solutions.  The  problems  he  wished  to  solve  arise  in 
automatic  generation  of  proofs  of  correctness  of  programs  using  methods  of  inductive 
assertions.  Shostak  (1977)  extended  the  method  and  showed  that  it  was  equivalent  to  the 
simplex  method  over  real  linear  inequalities. 


This  author  (Brooks  (1981a),  (1981b))  extended  the  SUP -INF  method  to  handle  a 
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large  class  of  non  linear  inequalities,  and  included  simple  extensions  to  handle  certain 
elementary  functions  (e.g.  sin  and  cos)  in  a  primitive  way.  To  support  an  implementation  of 
a  complete  plan  checker,  the  author  had  to  extend  the  method  further  to  handle  disjunctions 
of  both  inequalitities  and  conjunctions  of  inequalities.  It  already  implicitly  handled  simple 
conjunctions  of  inequalities.  As  a  by-  product  of  this  development  it  became  possible  to 
include  a  much  fuller  treatment  of  quadratic  forms. 

This  section  describes  the  computable  functions  of  the  extended  SUP-INF  method, 
and  characterizes  their  capabilities.  The  precise  algorithms  used  in  the  earlier  versions  of 
SUP -INF  method  can  be  found  in  Brooks  (1981a)  and  Brooks  (1981b). 

Expressions  handled  by  the  extended  SUP-INF  method  can  include  operations  for 
addition,  subtraction,  multiplication,  division,  square  root,  maximum,  minimum,  and  (to 
a  limited  extent)  some  trigonometric  functions.  Operations  arc  on  numbers,  the  special 
symbols  oo  and  —  oo  and  formal  variables. 

Constraints  are  inequalities  and  conjunctions  and  disjunctions  of  constraints. 
Disjunctions  can  arise  from  simple  inequalities  if  MIN  is  placed  on  the  left  of  “<”  or  MAX 
on  the  right. 

5.2.1  Bounding  with  projections. 

The  SUP-INF  method  takes  its  name  from  two  procedures,  SUP  and  INF  which  bound 
expressions  over  satisfying  sets  of  constraint  sets.  In  general  they  do  not  provide  the  best 
possible  bounds,  but  in  many  cases  (linear  for  instance,  see  below,  but  also  often  otherwise) 
they  do. 

Typically  the  symbolic  result  of  SUP  will  be  an  expression  of  the  form  min(ei, . . . ,  <?«) 
while  the  result  of  INF  will  be  of  the  form  max(ei, . . . ,  en). 

Consider  as  an  example  the  set  of  constraints  defined  by 
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Cf  =  {iXi<y,i  +  y<7>. 

Then  the  procedures  SUP  and  INF  produce  the  results: 

SUP(“i  -f  V",  Cf ,  {  y  »  =  min(7, 2.1926  -f  y,  y  +  y/y) 

and 

INF(“i",Cf,0)  =  -3.1926 

The  two  procedures  take  three  arguments.  First  consider  the  following  special  case. 
Let  e  be  an  expression,  C  a  set  of  constraints,  and  suppose  that  support(e)  C  support(C). 
Then  Brooks  (1981a)  shows  that 

lub(e,  C)  <  SUP(e,  C,0) 
and 

glb{e,  C)  >  JNF(e,  C,0) 
whenever  C  is  satisfiable,  i.e.  whenever 

sat(C,  suppori(C))  ^  0. 

No  guarantee  is  made  concerning  the  results  returned  by  SUP  and  INF  when  the  constraints 
are  not  satisfiable. 

For  linear  sets  of  constraints  the  extended  versions  of  SUP  and  INF  behave  identically 
to  those  of  Shostak  (1977).  He  showed  that  under  those  conditions  they  actually  find 
the  best  possible  bounds.  That  is  for  a  constraint  set  C  which  consists  entirely  of  linear 
constraints,  and  a  linear  expression  e  then 

lub(e,  C)  =  SUP(e,  C,  0) 

and 

glb(e,  C)  —  INF(e,  C,0). 
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SUP(e,  C,  {  y  }) 

le J{  x,y  }  {  x,  y  })) 

y 

sat(C,{x,y}) 


Figure  10.  An  illustration  of  the  projection  and  bounding  behavior  of  the  procedures  SUP 
and  INF.  The  text  contains  detailed  commentary. 

tT  Procedures  SUP  and  INF  are  more  general  however.  Given  a  satisfiable  set  of  con¬ 

straints,  an  expression  over  the  satisfying  set,  and  a  subspace,  SUP  and  INI1'  compute  sur¬ 
faces  defined  over  the  projection  into  the  subspacc  of  the  satisfying  set,  which  everywhere 
bound  the  expression  over  the  inverse  image  of  the  projected  points  in  the  original  satisfying 
set.  More  formally,  but  perhaps  more  clearly,  suppose  support(C)  C  W,  V  C  W,  and  e  is 
an  expression  where  support(e)  C  W.  If 

sat(C,  W)  ^  0 

then 

support(SUP(e,C,F))  C  V, 
support(INF(e,C,  V-))  Q  V 

and 

Vx6  sat(C.VF),  (5.2.1) 

(SUP(e,C,  V)\v(proj(W,V ,z))  >  [e]w(x)  >  (lNF(c,C,  V)}v(proj(W,V ,*)). 
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Figure  10  gives  an  illustration  of  these  capabilites.  There  the  set  W  is  defined  by 
W  —  {x,y},  and  V  =  {y}.  The  constraint  sot  C  is  satisfied  by  the  region  shaded  in 
the  x-y  plane.  The  expression  e  takes  values  in  the  reals  D?  over  the  satisfying  set  and 
gives  rise  to  the  surface  patch  illustrated.  The  darkened  region  of  the  y-axis  illustrates  the 
projection  of  the  satisfying  set  sat(C,  W)  into  space(V).  The  shaded  region  in  the  y  3?  plane 
is  the  corresponding  projection  of  the  values  achieved  by  e.  The  curves  in  the  y  5?  plane 
above  and  below  that  shaded  region  correspond  to  the  values  achieved  by  the  expressions 
returned  by  SUP(e,  C,V)  and  lNF(e,  C,  V),  both  expressions  in  y,  over  the  porjection  of 
the  satisfying  set.  Notice  that  they  are  upper  and  lower  bounds  on  the  projection  of  the 
surface  patch  generated  by  e. 

5.2.2  A  partial  decision  procedure. 

The  procedures  SUP  and  INF’  can  be  combined  (following  Dledsoe  (1975))  to  produce 
a  partial  decision  procedure  on  sets  of  constraints.  The  decision  concerns  whether  a  set  C 
of  constraints  is  consistent,  i.c.  whether  the  constraints  are  satisfiable,  or  formally  whether 

sat(C,  support^ 0))  ^  0. 

That  the  procedure  is  partial  comes  from  the  fact  that  it  can  not  always  decide  whether 
or  not  this  is  thr  case.  In  fact  it  has  two  outcomes;  one  that  the  satisfying  set  is  definitely 
empty,  and  the  other  that  it  doesn’t  know.  This  property  is  the  cost  of  requiring  that 
it  always  terminate  in  some  bounded  time  determined  by  the  siac  and  complexity  of  the 
constraint  set  C. 

The  decision  procedure  is  called  DECIDE.  Given  a  set  of  constraints  C,  then  if 

Vu€  support(C),  lNF(u,C,0)  <  SUP(v,C,0) 

(where  the  definition  of  “<”  is  extended  to  handle  ±oo  correctly)  DECIDE(C)  returns 
“ possibly  satisfiable”  (or  true),  else  it  returns  "definitely  unsatisfiable ”  (or  false). 

The  procedure  DECIDE  is  sound  in  the  sense  that  it  never  returns  an  incorrect  result. 
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This  follows  from  the  fact  that  SUP  and  INF  return  upper  and  lower  bounds  over  the 
satisfying  set  of  a  set  of  constraints. 

Of  course  a  procedure  which  always  returns  “possibly  satisfiable ”  is  also  sound  under 
this  definition  of  soundness.  Such  a  procedure  happens  to  be  worthless,  however.  A  partial 
decision  procedure  is  only  interesting  is  it  sometimes  detects  unsatisfiable  sets  of  constraints. 
The  more  often  it  successfully  detects  such  sets,  the  more  interesting  it  is. 

The  only  characterization  of  the  extended  SUP-INF  decision  procedure  is  empirical. 
In  practice,  in  its  use  in  the  ACRONYM  system  there  was  never  a  case  observed  where 
it  failed  to  detect  an  inconsistent  set  of  constraints.  However  it  is  possible  to  construct 
a  set  of  constraints  which  is  in  fact  inconsistent,  on  which  DECIDE  returns  “possibly 
satisfiable”.  The  philosphy  adopted  in  ACRONYM  was  that  if  there  was  a  failure,  to  detect 
an  inconsistency  at  some  point  in  the  computation,  it  would  more  than  likely  be  detected 
later  as  the  implications  of  the  inconsistency  were  propagated  and  became  less  subtle. 

5.3  A  critical  sub-procedure. 

Besides  DECIDE,  another  important  sub -procedure  used  in  the  plan  checker  is 
PROJCS.  It  projects  a  set  of  constraints  into  a  subspace  over  the  satisfying  set  of  a  second 
set  of  constraints  in  such  a  way  that  points  which  satisfy  the  projected  constraints  also 
satisfy  the  original  constraints.  Essentially  it  tries  to  find  prismatic  subsets  of  the  satisfy¬ 
ing  set  of  the  first  set  of  constraints,  with  elongation  orthogonal  to  the  projection  subspace, 
which  are  wholly  contained  in  the  satisfying  set  of  the  second  set  of  constraints. 

Given  variables  sett  W  and  V  where  V  C  W  and  constraint  sets  Cj  and  C2  where 
8upport( Ci)  C  W  and  $uppori(G2)  C  W,  the  procedure  PROJCS  simply  computes  the 
projection  of  Ci  from  space(W)  to  spacc(V),  over  the  satisfying  set  of  Ca,  by 
PROJCS(W',K,Ct,Ca) 

=  {“SUP(a,C2,  V)  <  INF(6,  C2,  V)”  |  “a  <  6”  €  Ci,SUP(a,  C2,0)  £  INF(b,C3,0) }. 
If  a  constraint  contains  conjunctions  or  disjunctions  then  PROJCS  simply  maps  this  projec¬ 
tion  over  the  terms.  Thus  PROJCS  is  a  computable  procedure  which  returns  a  set  of 
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constraints.  The  set  V  supports  those  constraints.  The  comparison  of  the  numeric  upper 
and  lower  bounds  of  a  and  b  respectively  simply  Rerves  to  prune  out  constraints  which  are 
trivially  true  over  the  satisfying  set  of  Cj.  The  key  property  of  procedure  PUOJCS  is  given 
by  the  following  lemma. 

LEMMA:  Let  C  =  PROJCS(W,  K.Ci.Cj).  Then 

sai(CUC2>W0  C  sat(Ci,W). 

PROOF:  Let  *  €  sat( C  U  C2,  W),  and  let  a  <  b  where  a  and  b  are  expressions  in  W  be  a 
constraint  in  Ci  which  is  not  trivially  satisfied  over  sat(C2,  W). 

Since  i  6  suf(Cj,  W),  then  by  the  definition  of  function  SUP  (see  (5.2.1)) 

\a]w(x)  <  |SUP(a,  C2,V)]v(proj[W,V ,  x)) 

and 

(INF(6,  C2,  V)\v(proj(W,  V,  x))  <  (6)w(r). 

But  z  £  sat(C,  IV)  also  and  hence  satisfies  every  constraint  in  C.  In  particular  C  includes 
the  constraint 

SUP(a(C2,V)  <  1NF(6,C2,V) 

and  hence 

Hw(*)  <  [&lvp(*)» 

Thus  x  €  «at(Ci,Wr)-l 

The  procedure  PROJCS  often  results  in  a  set  of  constraints  whose  satisfying  set  is 
expressed  as  a  disjunction  of  sets  satisfying  subsets  of  the  constraints.  This  is  because 
it  construct  inequalities  by  putting  expressions  produced  by  INF,  which  includes  “max" 
expressions,  on  the  right  of  “<”  symbols,  and  expressions  produced  by  SUP,  which  include 
“min”  expressions,  are  put  on  the  left. 


5.4  Checking  a  plan. 


The  plan  checker  must  check  a  sequence  of  subplans  at  a  particular  level  of  abstraction. 
A  procedure  CHECK  is  defined  later  in  this  section  which  checks  individual  subplans,  or 
plan  steps.  It  must  be  used  by  a  higher  level  plan  checker  which  typically  would  be  part 
of  the  actual  robot  planner.  In  this  paper  we  assume  a  simple  model  for  the  plan  checking 
aspect  of  the  robot  planner. 

First  it  is  given  an  initial  state  of  the  world  and  it  propagates  the  effects  of  actions  on 
the  world,  using  CHECK,  through  the  plan  steps  while  constraining  the  plan  variables  so 
that  all  actions  are  guaranteed  to  succeed.  Whenever  a  plan  step  is  reached  which  can  not 
be  guaranteed  to  work  by  constraining  plan  variables  or  sensing  at  that  step  of  the  plan, 
the  robot  planner  backs  up,  again  using  CHECK,  carrying  back  a  set  of  goal  constraints 
to  a  point  where  CHECK  can  guarantee  that  the  goal  can  be  satisfied.  It  then  proceeds 
forward  again  from  that  subplan  aptying  CHECK  and  propagating  the  results. 

This  process  is  illustrated  below  by  checking  the  four  plans  A  through  B  introduced 
in  section  2.2. 

Clearly  there  is  room  for  much  work  on  the  role  of  the  robot  planner  and  the  nego¬ 
tiations  which  can  take  place  between  adjacent  planning  islands.  This  paper  has  not  directly 
addressed  that  issue,  as  it  is  more  properly  part  of  the  planning  process  itself,  rather  than 
part  of  plan  checking  per  se.  What  this  paper  has  done  is  to  give  a  mathematical  framework 
within  which  those  negotiations  can  be  explored. 

5.4.1  Simple  checking. 

Figure  J1  defines  the  procedure  CIIECKSIMP.  It  is  the  part  of  the  plan  checker  which 
tests  whether  a  plan  can  be  guaranteed  to  work  simply  by  constraining  the  plan  variables. 

In  its  argument  list  P  is  the  plan  to  be  checked  and  P*  the  plan  which  follows  it  in  the 


procedure  CHECK  SIMP(,P,  P *,FEEDF*D) 
begin 

if  not  DECIDE(jC/  (J  C/]u(0u)) 

then  outcome  6 

else 


begin 

C *  <-  PRC  JCS(P  U  u,  P,  CA ,  Cl ) 
u(if  FEEDFWD 
then  0 

else  PROJCS(PUl/UP,P,C;,CjUC5)); 

if  DEC1DE(C;UC*) 

then 

begin 

if  FEEDFWD  then  PROPAGATE^*,  C;  U  C*  U  C$); 

return  outcome  1 

end 

else  return  other 


end 

end; 


Figure  11.  Procedure  to  check  whether  a  plan  will  work  tf  its  plan  variables  are  sufficiently 
constrained. 


chain  of  planning  islands.  A  flag,  FEEDFWD,  says  whether  the  initial  states  of  the  following 
plan  P *  should  be  used  as  a  goal  condition  (when  the  flag  is  false)  or  whether  the  initial 
states  of  the  following  plan  should  be  derived  f*-oni  the  current  plan  (when  the  flag  is  true). 
In  that  case  a  procedure  PROPAGATE  is  called  to  update  P .  Details  of  that  procedure  are 
not  considered  here. 

THEOREM:  If  procedure  CHECKSIMP  produces  outcome  1  then  the  plan 

{f>P>V>V>Cj  UCa,C4,C*) 

is  sound. 

PROOF:  It  suffices  to  show  that  conditions  (A)  and  (G)  hold. 

Since  C*  was  computed  by  procedure  PROJCS  the  lemma  of  section  5.3  says  that 
sat(Cj  \JCh,P\JU)  C  8at(CA,PUU) 
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Figure  12.  An  illustration  of  the  various  constraint  sets  and  their  satisfying  sets  involved  in 
finding  sufficient  constraints  on  plan  variables  tc  guarantee  that  a  plan  will  succeed.  The 
text  contains  detailed  commentary. 

whence  condition  (A)  is  proved. 

If  FEEDFWD  was  true  then  the  theorem  U  proved.  Otherwise  the  lemma  can  again  be 
used  to  establish  that 

sat(Cj  UCgijCMtPUUUV)  C  8at(Cj ,  P  U  U  U  V). 

But  P*  Q  P  and  V'  Q  U  U  V  whence  condition  (G)  is  satisfied.  | 
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5.4.2  A  more  intuitive  explanation. 


This  section  tries  to  give  a  more  intuitive  explanation  of  what  is  going  on  in  construct¬ 
ing  the  constraints  C x  above.  Consider  figure  12. 

For  simplicity  (and  drawabilty!)  the  sets  P,  U  and  V  have  been  compressed  to  single 
variables.  In  addition  the  axes  have  been  offset  so  that  they  don’t  go  through  the  zero  values 
of  variables  in  U  and  V.  The  large  region  outlined  in  the  P-U  plane  is  sal(Cj,Pu  U) 
—  the  set  of  initial  states  possible  for  the  original  plan.  The  region  in  the  P-V  plane  is 
sat(C],P'  U  U*).  Note  that  in  this  case  P  =  P*  and  V  =  U* .  The  smaller  region  in  the 
P-U  plane  is  the  region  where  the  action  of  plan  P  is  applicable  -  i.e.  sat[C;  UC^,P\jU). 

The  surface  floating  above  is  the  set  of  states  which  the  action  can  achieve  when  applied 
to  an  initial  state.  In  this  diagram  there  is  only  one  resultant  state  per  initial  state,  so  that 
it  could  be  represented  by  a  function.  The  surface  patch  is  given  by  sat( Cj  UC^,  P\jU\jV). 

The  role  of  procedure  CIIECKSIMP  is  to  further  restrtict  the  set  of  initial  states  to 
where  the  action  is  applicable  and  to  where  the  resultant  final  state  will  project  into  the 
set  of  initial  states  of  the  following  subplan  P* . 

To  avoid  wishful  thinking  (see  section  4.2)  the  cross  section  of  the  new  set  of  initial 
states  must  be  identical  in  the  U  direction  wherever  it  intersects  the  original  set.  This  is 
because  one  cannot  change  the  initial  uncertainties  purely  by  legislation  —  sensing  must 
be  introduced  if  that  is  desired.  Therefore  the  only  constraints  allowed  in  this  diagram  are 
ones  on  P,  and  so  they  must  be  parallel  to  the  U -axis. 

Condition  (A)  says  that  the  initial  states  should  be  confined  to  be  a  subset  of  the  points 
which  satisfy  C».  Condition  (G)  says  that  the  initial  slates  should  be  confined  so  that  the 
patch  of  final  states  above  them  projects  into  the  initial  set  of  the  following  subplan,  in 
the  P-V  plane  in  this  case.  The  dashed  lines  give  constraints  C >,  which  guarantee  that 
conditions  (A)  and  (G)  are  satisfied. 
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procedure  CIIECK(/>,  P\  FEEDFWD) 
begin 

case  CHECKSIMP(^,  P * ,  FEEDFWDjof 
1:  return  outcome  1; 

6:  return  outcome  6; 
other:  begin 

Cjy  «-  Cj,  U  (if  FEEDFWD 
then  0 

else  PROJCS(PUU  \JV,P\JU,C*j,Cj  UCp)); 
S- SENSEVARS(C;,Ca,,P,10; 

P+  «-  RESTRUCTURE^,  s); 
case  CHECKSIMP(P  +  ,  P+* ,  .true.)  of 
1:  return  outcome  2; 

6:  return  outcome  6; 
other:- if  PltOPl3ACK(^,  C*) 
then  return  outcome  S 
else  return  outcome  5; 

endcase 

end; 

endcase 

end; 

Figure  13.  The  main  plan  checking  algorithm. 


V 

5.4.3  Full  scale  checking. 


Figure  13  gives  the  main  plan  checking  algorithm.  It  uses  CHECKSIMP  to  check  the 
original  plan  and  simply  passes  on  the  result  if  the  plan  either  fails  to  work  completely  or 
if  it  can  be  guaranteed  to  work  by  simply  constraining  plan  variables.  Otherwise  CHECK 
attempts  to  introduce  sensing  into  the  plan  to  see  if  that  will  help. 


It  constructs  a  new  set  C.v,  using  PROJCS  as  does  CHECK,  but  this  time  its  support 
can  include  uncertainty  variables  from  U.  It  calls  a  procedure  SENSEVARS  described  in 
section  5.5  below  to  decide  which  of  the  uncertainty  variables  need  to  be  reduced  by  sensing 
to  meet  the  new  constraints  C ^ .  SENSEVARS  returns  a  set  of  physical  quantities  to  be 
measured,  and  associated  sensors  to  do  the  measurement. 


The  procedure  RESTRUCTURE  is  invoked  to  carry  out  the  operations  described  in 
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section  4.2  to  restructure  the  plan  P  by  introducing  new  plan  variables  whose  values  will  be 
instantiated  at  plan  execution  time  by  interpreting  the  chosen  sensors.  (Section  5.5  below 
shows  some  practical  simplifications  which  can  be  made  to  the  constraints  of  section  4.2. 
The  simplifications  are  not  approximations,  but  rather  conservative  estimates  which  result 
in  much  simpler  constraint  sets  and  thus  less  computation  time.  Their  drawback  is  that  in 
very  tight  situations  the  plan  checker  may  reject  a  plan  which  is  actually  valid.) 

Now  procedure  CHECK  invokes  CIIECKSIMP  again  to  check  the  restructured  plan. 
The  FEEDFWD  flag  is  passed  true,  so  that  subsequent  planning  islands  will  be  restructured  for 
the  new  sensing  variables.  If  CIIECKSIMP  says  that  the  restructured  plan  is  sound 
then  CHECK  is  done  and  by  the  theorem  above  the  plan  with  sensing  is  sound.  Otherwise 
the  procedure  PROPBACK  is  invoked.  It  recursivley  re-invokes  the  plan  checker  on  the 
previous  (and  already  checked)  plan,  with  FEEDFWD  false,  to  see  if  it  is  possible  to  deliver 
the  world  to  plan  P  in  a  state  where  the  uncertainties  meet  the  constraints  Cjy.  Of  course 
the  result  of  CHECK  on  the  previous  plan  may  again  result  in  PROPBACK  being  invoked, 
and  further  rocrusive  calls  of  CHECK  back  through  the  chain  of  plans.  If  that  recursion 
finally  fails  the  PROPBACK  returns  false  and  procedure  CHECK  gives  up  by  signalling 
outcome  5.  If  PROPBACK  is  successful  then  C n  defines  a  new  plan  which  is  again  sound 
and  outcome  3  is  the  result.  Examples  of  the  behavior  of  PROBACK  are  given  in  section 
5.6  below. 

5.4.4  An  example. 

The  function  CHECK  is  called  on  each  of  plan  A  through  plan  D  succesively,  with 
FEEDFWD  true,  so  that  the  initial  constraints  of  the  following  plans  arc  generated.  Section 
3.3  showed  the  initial  states  for  plan  ft  which  had  been  generated  from  plan  A.  In  that  case 
the  call  to  PROJCS  in  CIIECKSIMP  produces  no  new  constraints,  as  the  constraint  from 
Cj,  namely 

12.0  <  BOX-POS  <  36.0 


is  trivially  satisified. 


Plan  B  generates  no  new  state  information.  Finally  plan  C  generates  initial  constraints 

of 

12.0  <  BOX-POS  <36.0 
e<(BOX-POS)<  BOX-UNC  <e*(B0X-P0S) 
e<{BOX-POS)  <  LID-UNC  <  e*(BQX-P0S) 
ei(BOX-POS)<BOLT-UMC<eh(BOX-POS) 

where 

e,( x)  =  max  (0. 00022 15x  -  0.043262, 0.0009857x  -  0.063329) 
e*(x)  =  min(0.043262  —  0.0002253x,  0.063329  -  0.0009895x) 
for  plan  D.  Again  PROJCS  generated  no  new  constraints  in  this  case.  Note  that 

P  ={  B0X-P0S} 

U  =  {  BOX-UNC,  LID-UNC,  BOLT-UNC  }. 

When  CHECK  is  applied  to  plan  D  the  first  call  to  CHECKSIMP  fails  with  outcome 
“other”.  The  reason,  although  the  plan  checker  can  not  isolate  it  to  this  level  of  analysis, 
is  that  all  the  bolt  and  the  lid  line  up  well  enough  for  initial  insertion,  there  is  too  much 
uncertainty  in  the  relative  positions  of  the  box  and  lid  to  guarantee  that  the  holes  in 
them  line  up.  A  new  set  Cfj  is  computed  where  support(C h)  C  P  U  U .  The  procedure 
SENSEVARS  is  invoked  and  it  deduces  that  BOX-UNC  and  LID-UNC  have  smaller  ranges  of 
values  when  C constrains  the  intital  states  (SENSEVARS  is  described  in  more  detail  in 
the  next  section).  It  correctly  deduces  that  there  is  no  need  to  reduce  BOLT-UNC  anywhere 
in  the  range  of  box  positions. 

The  plan  is  restructured  to  introduce  sensing.  However  the  procedure 
RESTRUCTURE  notes  that  no  named  physical  quantities  are  introduced  in  plan  D,  so 
sensing  can  not  affect  any  action  which  is  to  take  place.  Therefore  it  immediately  invokes 
the  procedure  PROPBACK.  It  propagates  the  set  Cj  U  Cjy  back  to  plan  C  as  the  initial 
constraints  of  plan  D.  Thus  when  CHECKSIMP  is  invoked  on  plan  C  with  flag  FEEDFWD  Bet 
to  false,  it  is  realized  that  plan  C  needs  to  produce  a  more  tightly  constrained  world  state 
than  before.  Again  SENSEVARS  is  invoked  and  it  recommends  reductions  in  the  ranges  of 
BOX-UNC  and  LID-UNC. 


Procedure  RESTRUCTURE  is  once  again  invoked.  It  decides  that  since  there  is  only 


one  new  physical  quantity  to  be  introduced,  namely  bo/t:position,  and  since  it  depends 
only  on  lid: position,  then  it  can  only  possibly  help  to  sense  the  latter,  and  thus  it  can  only 
possibly  help  to  reduce  the  uncertainty  in  the  position  of  the  lid  and  not  in  the  position  of 
the  box.  Sensing  is  introduced,  and  then  PROPBACK  propagates  forward  from  the  new 
plan  C  to  plan  D  once  again.  However  plan  D  once  again  fails  as  the  relative  positions  of  the 
box  and  lid  have  still  not  changed,  and  so  there  is  no  guarantee  that  they  will  line  up  well 
enough  for  the  bolt  to  be  inserted  through  them  both.  Therefore  PROPBACK  continues 
to  back  up  from  plan  C.  The  result  is  described  below  in  section  5.6. 

5.5  Introducing  sensing. 

Section  5.4  described  procedures  to  check  plans.  A  major  subprocedurc  invoked  by 
CHECK  was  SENSEVAHS.  Its  job  is  to  select  physical  quantities  and  sensors  to  be  intro¬ 
duced  into  a  plan  to  guarantee  its  success.  There  are  two  stages  to  that  process.  First 
the  uncertainties  which  must  be  reduced  by  sensing  need  to  be  identified.  These  can  be 
determined  by  exaining  the  set  of  new  constraints  Cjy.  The  preoess  is  described  below. 

The  second  step  is  to  choose  sensors  which  will  indeed  reduce  those  uncertainties.  § 

5.5.1  Deciding  what  needs  to  be  sensed. 

Refer  to  figure  14.  The  outlined  area  in  the  P-(J  plan  is  the  original  set  sat(Ci ,  PUU). 

The  shaded  subset  of  that  area  corresponds  to  sat(Cj  \JC^,P\JV).  For  a  given  value  of  the 
single  plan  variable  in  P  a  piece  of  the  original  set  which  is  unshaded  represents  a  tightening 
of  constraints  on  the  single  uncertainty  variable  in  U.  In  general  it  will  be  necessary  to 
identify  whieh  uncertainty  variables  are  so  constrained. 

Consider  an  uncertainty  variable  u  G  U  and  the  problem  of  deciding  if  it  has  been 
further  constrained.  Let 

o,  —  SUP(u,  Cj,P  U  —  {  u  }) 
o,  =  INFKCj.Putf-M) 
ns==SUP(u,C;UCA,,PUf/-{u}) 
n,  =  INF(u, C/  UCjv,P(Jf/  —  {  u  }). 
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Expressions  os  and  o,  are  the  original  bounds  on  tt,  (expressed  as  functions  of  the  parts  of 
space  orthogonal  to  u)  and  ns  and  n,  are  bounds  on  the  newly  constrained  u. 

If  u  is  indeed  constrained  by  the  set  C m  then  there  existB  some  point 

x  £  Bpace(P  U  U  —  {  u  }) 


at  which  one  of 

lna]nj(/— {«}(*)  <  Nfuc/-{u}(s)  (5.5.1) 

Klpuu-fi*}!1)  >  [Oilpuy-fu}!1)  (5.5.2) 

is  true.  In  the  remainder  of  this  analysis  only  o,  and  ns  will  be  considered.  Dual  statements 
hold  for  n,  and  ot. 

To  determine  whether  condition  (5.5.1)  were  ever  true  it  would  suffice  to  examine 
os  —  ns  and  see  if  it  were  ever  positive.  However  o,  and  ns  will  typically  be  expressions 
involving  “min"  and  thus  their  difference  will  be  too  complex  for  the  SUP-INF  method. 

Suppose  however  that  na  =  min(n,i,nsa, . . .  ,n,*).  Then  if  for  any  e  >  0  one  of  the 

sets 

C  =  Cj  U  {u  >  ntJ  -f  e) 
is  satisfiable  then  condition  (5.5.1)  is  satisifed. 

Therefore  the  algorithm  SENSEVARS  simply  chooses  some  small  e  and  for  each  u 
applies  procedure  DECIDE  to  each  Bet  of  the  form  C  above.  If  at  least  one  of  the  sets 
is  shown  to  be  possibly  satisifiable  then  u  us  a  candidate  for  reduction.  Note  that  if  for 
some  u  all  sets  are  said  to  unsatisfiable  by  DECIDE  then  (since  DECIDE  only  says  sets 
are  unsatisifiable  when  indeed  they  are  unsatisfiable)  u  has  nowhere  been  reduced  by  more 
than  e  over  apace(P  U  U  —  {  u  )). 

In  the  example  of  sections  5.4.4  and  5.6  a  constant  (  of  0.000001  was  used. 
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5.5.2  Choosing  a  sensor. 


Once  the  uncertainties  are  to  be  reduced  by  sensing  have  been  chosen,  it  is  necessary 
to  carry  out  some  geometric  reasoning  to  find  which  quantities  can  be  measured  in  order 
to  reduce  those  particular  uncertainties.  Each  uncertainty  is  associated  with  a  particular 
named  physical  quantity  in  the  geometry  g  of  the  plan.  A  quantity  which  can  be  sensed  and 
which  depends  .on  that  named  physical  quantity  must  be  found.  That  topic  is  not  covered 
in  this  paper. 

Once  a  candidate  sensor  has  been  found  it  would  be  advantageous  to  determine  im¬ 
mediately  its  measurement  error  is  small  enough  to  provide  the  desired  reduction  in  uncer¬ 
tainty.  If  more  that  one  candidate  sensor  is  found  then  this  capability  would  be  even  more 
desirable.  The  SUP-INF  method  proves  useful  in  this  task  also,  but  more  work  remains  to 
be  done  on  the  topic  and  meanwhile  a  useable  plan  checker  can  be  implemented  based  on 
the  SUP-INF  method  without  this  capability. 

5.5.3  Deriving  the  constraints. 

Section  iA.2  defined  the  constraints  which  can  be  inferred;  from  adding  a  sense  opera¬ 
tion  into  apian.  Those  constraints  contain  many  variables  and  an  equality.  Such  constraints 
slow  down  the  SUP-dNF  method  significantly,  making  the  analysis  of  a  sensing  operation 
expensive.  It  turns  out  however  that  a  set  of  simpler  constraints,  essentially  projections  of 
the  exact  forms  mto  a  subspace,  are  almost  as  strong  as  the  originals.  Thus  it  is  possible 
to  trade  tune  spent  in  plan  analysis  for  the  possibility  of  missing  a  correct  plan  when  all 
constraints  are  extremely  tight.  Thjs  exactly  what  the  plan  checker  implemented  by  the 
author  does. 

In  addition  the  implemented  plan  checker  assumes  that  the  robot  controller  will  use 
the  nominal  value  returned  by  a  sensor  as  the  new  nominal  value  for  the  physical  quantity 
being  suited.  The  validity  of  such  sensor  interpretations  depends  on  the  ability  at  plan 
checking  time  to  be  able  to  split  up  a  satisfying  set  of  Cj  into  components  where  the 


physical  quantity  ranges  over  a  single  interval. 


Recall  the  notation  used.  A  physical  quantity  represented  by  the  expression  o  +  v, 
where  o  has  support  in  P  and  v  has  support  in  U,  is  to  be  sensed  and  to  be  represented 
by  the  expression  n  -j~  u  where  n  represents  the  nominal  value  and  u  the  uncertainty.  The 
implemented  plan  checker  introduces  the  following  three  constraints. 


n  +  la(n)  <  o  -f  SUP(t/,  C ; ,  support(o)) 

o  -+■  INF(v,  C;,  support(o ))  <  n  -(-  rs(n) 
la(n)<  u  <r,(n) 

The  first  two  are  an  expression  of  constraint  (4.3.1)  projected  into  a  subspace  of  plan 
variables.  The  projection  is  conservative  in  the  sense  that  anything  that  satisifies  these  two 
constraints  will  also  satisfy  (4.3.1).  Thus  the  plan  checker  will  have  more  situations  to  deal 
with  than  might  have  been  described  by  using  the  more  exact  constraint.  Since  no  explicit 
sense  variable  is  introduced,  but  n  is  used  directly  instead,  these  two  constraints  also  express 
the  relation  given  by  constraint  (4.3.3).  The  final  constraint  concerns  the  uncertainty  in 
the  sensed  quantity,  and  it  takes  the  place  of  constraint  (4.3.4). 

Notice  that  the  first  two  introduced  constraints  allow  n,  the  new  nominal  value,  to 
have  a  larger  range  of  values  than  o,  the  older.  Practically  thiB  often  means  that  some 
constraint,  newly  expressed  in  terms  of  n,  will  cut  down  the  allowed  range  of  values  for 
o  so  that  n  ends  up  having  the  same  range  aB  did  o  before  the  sensing  constraints  were 
introduced.  It  is  this  process  which  validates  the  use  of  the  nominal  sensor  reading  as  the 
nominal  value  for  the  quantity  being  measured. 

5.6  Completing  the  example. 

Consider  again  the  example  of  the  four  coupled  plans. 

After  rejecting  the  introduction  of  sensing  at  the  start  of  plan  C  the  procedure 


PROPBACK  works  back  through  plan  B  and  plan  A.  At  plan  B  it  notices  that  no  new 
physical  quantities  are  introduced,  so  sensing  can  not  help.  The  extra  constraints  request¬ 
ing  a  reduction  in  the  uncertainty  of  the  box  and  lid  positions  arc  carried  back  to  plan 
A. 


Procedure  SENSEVARS  suggests  that  the  box  position  should  be  sensed.  Since 
an  introduced  physical  quantity  lid: position  depends  on  box. -posit ion  the  procedure 
RESTRUCTURE  introduces  sensing  for  that  quantity. 


Now  the  new  constraints  are  propagated  through  the-series  of  plans  using  procedure 
CHECKS1MP.  Extra  constraints  get  added  to  the  new  plan  A  to  ensure  that  the  nominal 
value  of  the  sensor  can  be  used  as  the  nominal  value  of  box.-positlon.  For  instance  when 
the  sensor  has  error  characteristics 

—la[m)  =  r,(m)  =  0.0004  X  m 

then  the  constraint 


12.0454  <  BOX-POS  <  35.9579  • 

is  added.  No  extra  constraints  Cy  are  needed  until  plan  D  is  reached.  The  final  subplan 
places  extra  constraints  on  the  plan  variables  (the  initial  nominal  position  of  the  box, 

BOX-POS  is  the  only  plan  variable),  depending  on  the  error  characteristics  of  the  sensor.  The 
following  table  summarises  some  results. 


Resulting  C u 

—0.00035  X  x 

0.00035  X  x 

empty 

—0.00010  X  x 

0.00040  X  x 

BOX-POS  <  20.0892  V  28.1397  <  BOX-POS 

-0.00045  X  x 

0.00045  X  x 

BOX-POS  <  15.6811  V  30.7618  <  BOX-POS 

—0.00050  X  x 

0.00050  X  x 

BOX-POS  <  12.8564  V  33.9237  <  BOX-POS 

—0.00055  X  x 

0.00055  X  x 

unsatisfiabie 

The  sensors,  with  linear  error,  smoothly  degrade  the  range  of  initial  box  positions  which 
lead  to  final  success  of  plan  D.  With  an  error  factor  of  0.00035  the  plan  can  be  successfully 
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carried  out  wherever  the  box  is  initially  placed.  For  0.00040,  0.00045  and  0.00050  the 
central  region  of  the  working  area  of  the  manipulator  is  forbidden,  as  the  combination 
of  sensor  error  and  manipulator  uncertainty  makes  the  plan  infeasible.  If  the  only  sensor 
available  has  an  error  factor  of  0.00055  then  nowhere  is  sensing  powerful  enough. 

In  the  latter  case  when  the  planB  are  propagated  forward  from  plan  A  with  sens¬ 
ing  through  to  plan  D,  the  plan  checker  finds  that  the  set  Cy  computed  by  procedure 
C1IECKSIMP  leads  to  no  feasible  initial  positions  for  the  box.  There  is  nowhere  left  to 
propagate  backwards  from  plan  A  so  it  must  conclude  that  in  this  case  the  sequence  of 
plans  is  infeasible  due  to  inadequate  sensing. 


6.  Related  Questions 


This  paper  has  developed  a  formal  model  for  checking  robot  plans.  To  do  so  it  first 
developed  a  formal  model  of  plans.  Plans  are  the  result  of  planning.  The  plan  checker  is 
able  to  modify  plans,  but  there  has  been  no  development  in  this  paper  of  the  formal  process 
of  planning.  Thus  there  arc  some  deficiencies  in  the  model  of  plans  used.  Work  is  needed 
to  integrate  the  model  presented  here  with  more  creative  planning  processes. 

6.1  Planning. 

Most  work  on  planning  has  been  restricted  to  abstract  domains  where  there  is  little 
notion  of  a  metric,  let  alone  spatial  relations,  errors  or  tolerances. 

Sussinan’s  (1075)  HACKER  program  works  entirely  in  an  abstract  blocks  world. 
Sacerdoti’s  (1977)  NOAH  is  not  restricted  to  the  blocks  world,  but  every  problem  descrip¬ 
tion  requires  a  procedural  semantics  of  the  domain  to  accompany  it.  The  user  really  needs 
to  know  the  solution  in  advance  in  order  to  decide  the  form  of  the  semantic  description. 
Stefik’s  (1981)  MOLGEN  works  in  a  domain  of  planning  molecular  genetics  experiments, 
but  it  doesn’t  even  have  a  strong  notion  of  quantity.  All  these  programs  concentrate  on 
planning,  but  in  a  domain  with  impoverished  semantics.  The  semantics  of  their  worlds  can 
be  completely  specified  in  a  few  lines.  They  plan  within  that  very  simple  world.  Many 
of  their  ideas  are  useful  for  robot  planning,  but  one  should  not  suppose  that  any  of  these 
programs  are  capable  of  producing  plans  that  could  posBibly  work  in  a  real  world. 

The  ABSTRIPS  sytstem  (Sacerdoti  (1974))  is  often  cited  as  a  real  world  robot  plan¬ 
ning  system.  Indeed,  a  physical  robot,  SHAKEY,  was  controlled  by  plans  generated  by 
ABSTRIPS.  However,  SHAKEY  was  restricted  to  a  tightly  controlled  environment,  and 
much  careful  engineering  ensured  that  the  world  was  relatively  benign.  Errors  that  the  real 
world  introduced  were  handled  by  having  the  complete  planing  system  available  at  execu¬ 
tion  time  (in  PLANEX)  to  modify  the  pre-computed  plans.  As  such,  this  is  an  excellent 
idea,  where  runtime  processing  power  makes  it  viable,  to  handle  deviations  in  the  modelled 


world  from  that  encountered  in  the  real  world.  It  has  the  disadvantage  of  the  execution 
time  strategy  turning  into  somewhat  of  a  “hit-and  -miss”  affair,  where  the  models  are  not 
completely  adequate,  so  a  cycle  of  “action,  sense,  new  action  to  achieve  the  same  goal”, 
can  often  develop. 

Fahlman’s  (1973)  BUILD  system,  incorporated  three  dimensional  models  of  objects 
from  the  blocks  world.  Uncertainties  of  size  and  position  ((1973)  p.  48)  were  ignored  as  an 
extra  complication  to  be  tackled  later.  Fahlman  did  however  deal  with  objects  touching, 
gravity  and  frictional  forces.  BUILD  is  capable  of  impressive  behavior  in  the  face  of  complex 
arrangements  of  blocks  where  these  forces  are  significant.  Fahlman  claimed  that  “80%  of 
the  performance”  of  his  system  derived  from  the  level  of  detail  in  the  model  it  was  given  of 
a  particular  situation,  while  the  remainder  came  from  the  planning  knowledge  embedded  in 
the  system.  Further,  he  claimed  that  the  planning  aspects  are  greatly  simplified  by  having 
the  detailed  models.  His  system  is  probably  unable  to  deal  with  real-  world  problems,  but 
it  is  much  closer  than  the  other  planning  systems  mentioned  above. 

Moravec  (1980)  programmed  a  mobile  robot  to  navigate  through  a  cluttered  environ¬ 
ment  using  a  visual  map.  It  took  into  account  errors  and  their  effects  at  many  stages 
of  its  computations.  Because  of  its  simple  model  of  the  world  as  clusters  of  points  with 
known  three  space  coordinates  it  had  to  be  very  generous  in  enclosing  them  with  spheres 
to  be  avoided.  It  had  a  self  model  of  how  commands  to  its  motors  would  affect  its  three 
dimensional  location  and  orientation.  This  model  took  into  account  frictional  forces,  and 
errors,  but  always  assumed  worst  case  errors  to  analyze  the  possible  outcomes.  Features 
that  were  located  by  its  nine  eyes  were  also  considered  to  be  prone  to  error.  All  of  Moravec’s 
computations  were  of  the  form  of  propagating  errors  forward,  then  checking  the  result. 

Taylor  (197G)  has  carried  out  by  far  the  most  realistic  analysis  of  errors  in  robot 
planning  to  date.  He  used  some  symbolic  geometric  reasoning  techniques,  and  many 
powerful  numerical  techniques.  The  example  in  section  2.1  of  this  paper  is  originally 
due  to  Taylor.  His  work  differs  from  that  here,  in  that  he  essentially  propagated  errors 
and  tolerances  numerically  forward  through  a  physical  situation,  then  checked  at  the  end 
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whether  such  things  as  applicability  conditions  were  met.  If  not,  the  plan  was  cither  rejected 
or  modified  at  the  point  where  the  applicabilty  condition  was  violated  (e.g.  initiate  a  spiral 
search  using  force  sensing  to  find  the  hole  for  the  screw  to  fit  in). 

The  methods  presented  in  this  paper  have  their  roots  in  Taylor's  work.  Instead  of 
numerical  computation  in  one  direction,  the  computation  (of  the  constraints)  is  symbolic; 
the  computations  can  be  proceed  in  any  chosen  direction. 

Ambler  and  Popplestone  (1975)  and  Popplcstone,  Ambler  and  Bellos  (1980)  have  de¬ 
veloped  an  assembly  programming  system  which  has  many  elements  of  planning  in  it. 
They  use  geometric  models  of  objects  and  infer  spatial  locations  and  orientations  of  parts 
from  relationships  between  them  (e.g.  Hagainst”  or  “fits”).  They  do  not  take  into  account 
tolerances,  but  instead  work  with  nominal  representations  of  distances  and  angles.  Within 
the  framework  of  this  paper  much  of  what  they  do  can  be  characterised  as  finding  con¬ 
straints  on  plan  variables. 

6.2  Integration  of  planning  and  cheeking. 

The  details  of  how  the  implemented  plan  checker  propagates  information  from  plan 
island  to  plan  island,  and  exactly  how  it  might  fit  in  with  an  automatic  planning  system 
were  to  a  great  extent  ignored  in  this  paper.  That  is  largely  because  there  are  many  ways 
to  integrate  such  plan  checkers  with  planning  systems. 

A  plan  checker  such  as  presented  here  could  be  integrated  with  a  robot  programming 
language  at  a  number  of  different  levels.  The  programmer  might  be  required  to  model 
cxplictly  the  uncertainty  effects  of  each  individual  motion  command,  along  with  providing 
explicit  pre-conditions  on  the  applicability  of  that  motion.  The  plan  checker  could  then 
treat  every  motion  command  as  an  individual  plan  island  in  a  sequence  of  planned  steps, 
check  its  validity  and  propagate  the  uncertainties  to  the  next  motion  command.  Like  a 
smart  compiler  it  could  provide  error  messages  about  why  the  sequence  of  motions  might 
be  invalid.  In  a  higher  level  robot  programming  language  which  included  geometric  models 
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of  the  manipulator  and  objects  in  the  world,  applicability  and  geometric  constraints  could 
be  inferred  more  automatically  by  examing  the  motion  statements.  Again,  advice  could  be 
given  to  the  human  programmer  concerning  critical  points  in  the  program  where  sensing 
was  needed,  or  new  motion  commands  were  required. 

A  more  automatic  planning  system  culd  also  benefit  from  the  plan  checking  approach 
presented  in  this  paper.  Doth  Lozano-Perez  (1976)  and  Taylor  (1976)  have  discussed 
planning  systems  which  expand  skeleton  program  fragments  into  complete  robot  programs 
by  taking  into  account  the  constraints  implied  by  the  geometry  of  the  particular  world 
instance.  Often  there  are  decisions  to  be  made  in  fleshing  out  such  skeletons  which  must 
rely  on  global  interactions.  The  plan  checker  presented  here  could  be  used  as  such  a  decision 
tool.  At  the  same  time  it  can  be  used  as  the  “test”  part  of  a  “generate  and  test”  approach 
which  the  planner  might  use  for  decisions  which  its  expertise  gives  no  guidance. 

The  IlAPT  system  of  Popplestone,  Ambler  and  Dellos  (1980)  takes  over  some  of  the 
planning  burden  from  the  human  programmer.  From  the  discussion  of  the  previous  section 
it  is  clear  that  much  of  what  the  plan  checker  does  is  in  the  spirit  of  the  Rapt  system’s 
approach  to  planning  by  solving  relational  constraints.  It  seems  that  a  plan  checker 
following  the  framework  described  in  this  paper  could  be  naturally  built  on  top  of  RAPT. 

6.3  The  form  of  constraints. 

The  constraints  used  in  the  implemented  plan  checker  are  all  algebraic  inequalities. 
Ideally  one  would  like  to  find  ways  to  express  much  more  geometric  constraints  and  develop 
partial  decision  procedures  that  could  deal  with  them  in  a  manner  adequate  for  using  the 
model  of  plans  presented  in  this  paper.  The  algebraic  constraints  used  to  date,  constrain 
parameterizations  of,  essentially,  “topologically”  equivalent  situations.  They  give  no  hint 
how  to  talk  about  classes  of  states  whose  members  include  radically  different  topologies. 

The  model  of  plans  (but  not  of  sensors)  given  in  section  3  is  independent  of  the  variables 
being  real  -valued  or  the  constraints  being  inequalities.  This  gives  some  hope  that  it  may  be 


possible  to  extend  the  plan  checking  formalism  into  the  area  of  geometric  checking,  besides 
the  the  purely  algebraic  aspects  presented  here. 

6.4  Summary. 

This  paper  has  concentrated  on  the  algebraic  aspects  of  robot  plans  that  include  explicit 
models  of  uncertainties  in  the  physical  world.  Earlier  work  (Brooks  (1981a))  has  shown  how 
to  map  from  the  geometry  of  a  world  model  to  the  algebraic  aspects  studied  here.  A  formal 
model  of  plans  was  developed,  and  a  formal  model  of  a  plan  checker  followed.  The  details 
of  implementing  a  particular  plan  checker  were  discussed,  and  it  was  shown  that  the  plan 
checker  could  check  the  plan,  constrain  certain  decisions  and  introduce  sensing  in  order  to 
ensure  that  the  plan  would  work. 
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Appendix 


The  example  introduced  in  section  2.2  and  referred  to  throughout  the  paper  has  been 
checked  by  an  implemented  plan  checker.  The  plan  checker  runs  on  a  Lisp  Machine  at  the 
Artificial  Intelligence  Laboratory  at  the  Massachusetts  Institute  of  Technology.  Below  is 
given  the  input  specification  to  the  checker  which  describes  the  four  coupled  plans.  This 
was  generated  by  hand,  but  in  the  future  rnay  be  generated  as  the  product  of  a  task  level 
planning  system. 

First  the  plan  data-base  is  initialized  and  then  the  named  physical  quantities  are 
declared.  The  entries  POS  and  UNC  simply  declare  the  postfixes  to  be  used  in  generating 
internal  variable  names,  so  that  internal  data  structures  can  more  easily  be  debugged.  The 
POSITION  entry  defines  the  type  of  each  named  physical  quantities  (another  example  might 
be  ANGLE). 

; ; ;  example  of  four  coupled  plans 
(INITIALIZE- PLAN-DATA-BASE) 

<>• 

; ; ;  named  physical  quantitites 

(NPQDEC  BOX  POSITION  POS  UNC) 

(NPQDEC  LID  POSITION  POS  UNC) 

(NPQDEC  BOLT  POSITION  POS  UNC) 

Functions  are  then  defined  to  specify  the  uncertainty  behavior  of  the  manipulator. 
There  is  no  specific  model  of  the  manipulator  used  by  the  plan  checker  at  this  level.  The 
manipulator  behavior  is  encoded  in  the  sets  of  constraints  Cg. 

; ; ;  upper  and  lover  bounds  on  manipulator  uncertainty 
(FUNDEF  EL  (X) 

(MAX  (♦  (*  0.0002216  X)  -0.043262)  (♦  (*  0.0009857  X)  -0.063329))) 

(FUNDEF  EH  (X) 

(MIN  (♦  (*  -0.0002253  X)  0.043262)  (♦  (*  -0.0009895  X)  0.063329))) 

The  error  characteristics  of  the  sensor  are  defined,  and  then  a  model  of  the  sensor  itself 
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is  given.  The  model  is  in  terms  of  its  error  characteristics  and  the  type  of  named  physical 
quantities  which  it  can  measure. 

;;;  sensor  and  bounds  on  its  errors. 

(FUNDEF  LS  (X)  (♦  -0.0004  X)) 

(FUNDEF  RS  (X)  (*  0.0004  X)) 

(DEFSENS0R  CAMERA  LS  RS  '(POSITION)) 


Now  the  four  plans  are  defined.  There  are  up  to  four  slots  defined  for  each  plan. 
NPQ-INIT  is  a  list  of  named  physical  quantities  which  describe  the  state  of  the  world  at 
entry  to  the  plan.  NPQ-ADDED-DEFS  is  a  list  of  pairs  describing  named  physical  quantities 
introduced  into  the  world  state  by  the  action  of  the  plan.  The  first  element  of  each  pair  is 
the  name  of  the  new  quantity  and  the  second  is  an  expression  whose  nominal  value  will  be 
used  as  a  nominal  value  for  the  introduced  quantity.  Thus  in  plan  A  the  lid  is  to  be  placed 
in  the  same  nominal  place  as  the  box.  The  slots  ABSTRACT-CA  and  ABSTRACT-CC  describe 
the  constraint  sets  C a  and  Cg  in  terms  of  the  named  physical  quantities.  During  the  plan 
checking  process  they  will  be  expanded  in  terms  of  plan  and  uncertainty  variables.  As 
sensing  operations  get  introduced,  those  expansions  will  change. 

; ; ;  plan  definitions 

(DEFPLAN  PLANA 

NPQ-INIT  ’(BOX-POSITION) 

NPQ-ADDED-DEFS  '((LID-POSITION  BOX- POSITION)) 

ABSTRACT-CA  '((IN  (NOMINAL  LID-POSITION)  12.0  36.0)) 

ABSTRACT-CC  '((IN  (UNCERTAINTY  LID-POSITION) 

(EL  (NOMINAL  LID-POSITION)) 

(EH  (NOMINAL  LID-POSITION))))) 


(DEFPLAN  PLANB 

NPQ-INIT  '(BOX-POSITION  LID-POSITION) 

ABSTRACT-CA  '((IN  (-  BOX-POSITION  LID-POSITION)  -1.0  1.0))) 


(DEFPLAN  PLANC 

NPQ-INIT  '(BOX-POSITION  LID-POSITION) 

NPQ-ADDED-DEFS  ’((BOLT-POSITION  LID-POSITION)) 
ABSTRACT-CA  ’((IN  (NOMINAL  BOLT-POSITION)  12.0  36.0)) 

ABSTRACT-CG  ’((IN  (UNCERTAINTY  BOLT-POSITION) 

(EL  (NOMINAL  BOLT-POSITION)) 

(EH  (NOMINAL  BOLT-POSITION))))) 


(DEFPLAN  PLAND 

NPQ-INIT  ‘(BOX-POSITION  LID-POSITION  BOLT-POSITION) 
ABSTRACT-CA  ’((IN  (-  BOLT-POSITION  LID-POSITION) 

(55  -7.  64.) 

(55  7.  64.)) 

(IN  (-  LID-POSITION  BOX-POSITION) 

.  (5!  -3.  64.) 

(5!  3.  64.)))) 


Finally,  the  initial  state  of  the  world  is  specified,  and  plan  A  is  appropriately  initialized. 
The  slot  NPQ-LIST  is  filled  with  a  list  of  named  physical  quantities  corresponding  to  physical 
realities  in  the  world’s  initial  state,  while  ABSTRACT-CS  is  a  list  of  constraints  which  describe 
the  possible  initial  states  of  the  world. 

; ; ;  initial  state  of  the  world 

(INITIALIZE-PLAN  PLANA 

NPQ-LIST  ’ (BOX-POSITION) 

ABSTRACT-CS  ’((IN  (NOMINAL  BOX-POSITION)  12.0  36.0) 

(IN  (UNCERTAINTY  BOX-POSITION) 

(EL  (NOMINAL  BOX-POSITION)) 

(EH  (NOMINAL  BOX-POSITION))))) 


